From d6a676f0a681e1b87dfdb31012464ef2d6b966dc Mon Sep 17 00:00:00 2001
From: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Date: Mon, 3 Jan 2022 20:12:14 +0000
Subject: [PATCH 1/4] systemd: Add systemd-homed and systemd-userdbd.

Systemd-homed does not completely work since the code does not label
the filesystems it creates.

systemd-userdbd partially derived from the Fedora policy.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
---
 policy/modules/kernel/files.if      |  18 +++
 policy/modules/services/mta.if      |   1 +
 policy/modules/services/ssh.if      |   1 +
 policy/modules/system/fstools.if    |   1 +
 policy/modules/system/init.if       |  18 +++
 policy/modules/system/init.te       |   1 +
 policy/modules/system/lvm.te        |   4 +
 policy/modules/system/systemd.fc    |   9 +-
 policy/modules/system/systemd.if    |  38 ++++--
 policy/modules/system/systemd.te    | 194 +++++++++++++++++++++++++++-
 policy/modules/system/userdomain.if |   4 +
 policy/support/misc_patterns.spt    |  28 ++++
 12 files changed, 304 insertions(+), 13 deletions(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 495cbe2f4..e3c22b94a 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -3849,6 +3849,24 @@ interface(`files_relabelfrom_home',`
 	allow $1 home_root_t:dir relabelfrom;
 ')
 
+########################################
+## <summary>
+##	Watch the user home root (/home).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_watch_home',`
+	gen_require(`
+		type home_root_t;
+	')
+
+	allow $1 home_root_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Create objects in /home.
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 924039579..779c9a971 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -784,6 +784,7 @@ interface(`mta_list_spool',`
 	')
 
 	allow $1 mail_spool_t:dir list_dir_perms;
+	files_search_spool($1)
 ')
 
 #######################################
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index ae23e1995..b9ed26bc8 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -277,6 +277,7 @@ template(`ssh_server_template', `
 
 	optional_policy(`
 		systemd_read_logind_sessions_files($1_t)
+		systemd_stream_connect_userdb($1_t)
 	')
 ')
 
diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
index 6ebe38003..f994965af 100644
--- a/policy/modules/system/fstools.if
+++ b/policy/modules/system/fstools.if
@@ -61,6 +61,7 @@ interface(`fstools_exec',`
 	')
 
 	can_exec($1, fsadm_exec_t)
+	corecmd_search_bin($1)
 ')
 
 ########################################
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index abc983112..fda2faca5 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1114,6 +1114,24 @@ interface(`init_rw_stream_sockets',`
 	allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to search init keys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_search_keys',`
+	gen_require(`
+		type init_t;
+	')
+
+	dontaudit $1 init_t:key search;
+')
+
 ########################################
 ## <summary>
 ##	start service (systemd).
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 4d2c48838..01a0eb786 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -514,6 +514,7 @@ ifdef(`init_systemd',`
 	systemd_manage_userdb_runtime_sock_files(init_t)
 	systemd_manage_userdb_runtime_dirs(init_t)
 	systemd_filetrans_userdb_runtime_dirs(init_t)
+	systemd_stream_connect_userdb(init_t)
 
 	term_create_devpts_dirs(init_t)
 	term_create_ptmx(init_t)
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index dcb4f410e..1cf6e1753 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -251,6 +251,10 @@ optional_policy(`
 	rpm_manage_script_tmp_files(lvm_t)
 ')
 
+optional_policy(`
+	systemd_rw_homework_semaphores(lvm_t)
+')
+
 optional_policy(`
 	udev_read_runtime_files(lvm_t)
 ')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index c8e1dcc6e..e9e9af4c1 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -29,6 +29,8 @@
 /usr/lib/systemd/systemd-binfmt		--	gen_context(system_u:object_r:systemd_binfmt_exec_t,s0)
 /usr/lib/systemd/systemd-cgroups-agent	--	gen_context(system_u:object_r:systemd_cgroups_exec_t,s0)
 /usr/lib/systemd/systemd-coredump	--	gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
+/usr/lib/systemd/systemd-homed  	--	gen_context(system_u:object_r:systemd_homed_exec_t,s0)
+/usr/lib/systemd/systemd-homework       --      gen_context(system_u:object_r:systemd_homework_exec_t,s0)
 /usr/lib/systemd/systemd-hostnamed	--	gen_context(system_u:object_r:systemd_hostnamed_exec_t,s0)
 /usr/lib/systemd/systemd-localed	--	gen_context(system_u:object_r:systemd_locale_exec_t,s0)
 /usr/lib/systemd/systemd-logind		--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
@@ -43,6 +45,8 @@
 /usr/lib/systemd/systemd-update-done	--	gen_context(system_u:object_r:systemd_update_done_exec_t,s0)
 /usr/lib/systemd/systemd-user-runtime-dir	--	gen_context(system_u:object_r:systemd_user_runtime_dir_exec_t,s0)
 /usr/lib/systemd/systemd-user-sessions	--	gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
+/usr/lib/systemd/systemd-userdbd	--	gen_context(system_u:object_r:systemd_userdbd_exec_t,s0)
+/usr/lib/systemd/systemd-userwork	--	gen_context(system_u:object_r:systemd_userdbd_exec_t,s0)
 
 # Systemd unit files
 HOME_DIR/\.config/systemd(/.*)?		gen_context(system_u:object_r:systemd_conf_home_t,s0)
@@ -62,6 +66,7 @@ HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_data
 /usr/lib/systemd/system/systemd-networkd.*		gen_context(system_u:object_r:systemd_networkd_unit_t,s0)
 /usr/lib/systemd/system/systemd-rfkill.*	--	gen_context(system_u:object_r:systemd_rfkill_unit_t,s0)
 /usr/lib/systemd/system/systemd-socket-proxyd\.service	--	gen_context(system_u:object_r:systemd_socket_proxyd_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-userdbd\.(service|socket)		--	gen_context(system_u:object_r:systemd_userdbd_unit_t,s0)
 /usr/lib/systemd/system/user@\.service	--	gen_context(system_u:object_r:systemd_user_manager_unit_t,s0)
 
 /usr/share/factory(/.*)?	gen_context(system_u:object_r:systemd_factory_conf_t,s0)
@@ -70,6 +75,7 @@ HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_data
 
 /var/lib/systemd/backlight(/.*)?	gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
 /var/lib/systemd/coredump(/.*)?	gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
+/var/lib/systemd/home(/.*)?     gen_context(system_u:object_r:systemd_homed_var_lib_t,s0)
 /var/lib/systemd/linger(/.*)?	gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
 /var/lib/systemd/pstore(/.*)?	gen_context(system_u:object_r:systemd_pstore_var_lib_t,s0)
 /var/lib/systemd/rfkill(/.*)?	gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
@@ -86,11 +92,12 @@ HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_data
 
 /run/systemd/ask-password(/.*)?	gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
 /run/systemd/ask-password-block(/.*)?	gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
+/run/systemd/home(/.*)?         gen_context(system_u:object_r:systemd_homed_runtime_t,s0)
 /run/systemd/resolve(/.*)?  gen_context(system_u:object_r:systemd_resolved_runtime_t,s0)
 /run/systemd/seats(/.*)?	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
 /run/systemd/sessions(/.*)?	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
 /run/systemd/users(/.*)?	gen_context(system_u:object_r:systemd_logind_runtime_t,s0)
-/run/systemd/userdb(/.*)?	gen_context(system_u:object_r:systemd_userdb_runtime_t,s0)
+/run/systemd/userdb(/.*)?	gen_context(system_u:object_r:systemd_userdbd_runtime_t,s0)
 /run/systemd/inhibit(/.*)?	gen_context(system_u:object_r:systemd_logind_inhibit_runtime_t,s0)
 /run/systemd/nspawn(/.*)?	gen_context(system_u:object_r:systemd_nspawn_runtime_t,s0)
 /run/systemd/machines(/.*)?	gen_context(system_u:object_r:systemd_machined_runtime_t,s0)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index e52141240..e68a9b443 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -863,6 +863,24 @@ interface(`systemd_PrivateDevices',`
 	fs_read_tmpfs_symlinks($1)
 ')
 
+######################################
+## <summary>
+##   Read and write systemd-homework semaphores.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`systemd_rw_homework_semaphores',`
+	gen_require(`
+		type systemd_homework_t;
+	')
+
+	allow $1 systemd_homework_t:sem rw_sem_perms;
+')
+
 #######################################
 ## <summary>
 ##  Allow domain to read udev hwdb file
@@ -1191,10 +1209,10 @@ interface(`systemd_signull_logind',`
 #
 interface(`systemd_manage_userdb_runtime_dirs', `
 	gen_require(`
-		type systemd_userdb_runtime_t;
+		type systemd_userdbd_runtime_t;
 	')
 
-	manage_dirs_pattern($1, systemd_userdb_runtime_t, systemd_userdb_runtime_t)
+	manage_dirs_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
 ')
 
 ########################################
@@ -1209,10 +1227,10 @@ interface(`systemd_manage_userdb_runtime_dirs', `
 #
 interface(`systemd_manage_userdb_runtime_sock_files', `
 	gen_require(`
-		type systemd_userdb_runtime_t;
+		type systemd_userdbd_runtime_t;
 	')
 
-	manage_sock_files_pattern($1, systemd_userdb_runtime_t, systemd_userdb_runtime_t)
+	manage_sock_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
 ')
 
 ########################################
@@ -1227,12 +1245,12 @@ interface(`systemd_manage_userdb_runtime_sock_files', `
 #
 interface(`systemd_stream_connect_userdb', `
 	gen_require(`
-		type systemd_userdb_runtime_t;
+		type systemd_userdbd_t, systemd_userdbd_runtime_t;
 	')
 
 	init_search_runtime($1)
-	allow $1 systemd_userdb_runtime_t:dir list_dir_perms;
-	allow $1 systemd_userdb_runtime_t:sock_file write_sock_file_perms;
+	allow $1 systemd_userdbd_runtime_t:dir list_dir_perms;
+	stream_connect_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t, systemd_userdbd_t)
 	init_unix_stream_socket_connectto($1)
 ')
 
@@ -1404,7 +1422,7 @@ interface(`systemd_filetrans_passwd_runtime_dirs',`
 
 ########################################
 ## <summary>
-##  Transition to systemd_userdb_runtime_t when
+##  Transition to systemd_userdbd_runtime_t when
 ##  creating the userdb directory inside an init runtime
 ##  directory.
 ## </summary>
@@ -1416,10 +1434,10 @@ interface(`systemd_filetrans_passwd_runtime_dirs',`
 #
 interface(`systemd_filetrans_userdb_runtime_dirs', `
 	gen_require(`
-		type systemd_userdb_runtime_t;
+		type systemd_userdbd_runtime_t;
 	')
 
-	init_runtime_filetrans($1, systemd_userdb_runtime_t, dir, "userdb")
+	init_runtime_filetrans($1, systemd_userdbd_runtime_t, dir, "userdb")
 ')
 
 ######################################
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 2de605bb3..83d0aeab0 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -115,6 +115,28 @@ typealias systemd_generator_t alias { systemd_fstab_generator_t systemd_gpt_gene
 typealias systemd_generator_exec_t alias { systemd_fstab_generator_exec_t systemd_gpt_generator_exec_t };
 init_system_domain(systemd_generator_t, systemd_generator_exec_t)
 
+type systemd_homed_t;
+type systemd_homed_exec_t;
+init_daemon_domain(systemd_homed_t, systemd_homed_exec_t)
+
+type systemd_homework_t;
+type systemd_homework_exec_t;
+domain_type(systemd_homework_t)
+domain_entry_file(systemd_homework_t, systemd_homework_exec_t)
+role system_r types systemd_homework_t;
+
+type systemd_homed_runtime_t;
+files_runtime_file(systemd_homed_runtime_t)
+
+type systemd_homed_storage_t;
+files_type(systemd_homed_storage_t)
+
+type systemd_homed_tmpfs_t;
+files_tmpfs_file(systemd_homed_tmpfs_t)
+
+type systemd_homed_var_lib_t;
+files_type(systemd_homed_var_lib_t)
+
 type systemd_hostnamed_t;
 type systemd_hostnamed_exec_t;
 init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
@@ -297,8 +319,15 @@ init_system_domain(systemd_user_runtime_dir_t, systemd_user_runtime_dir_exec_t)
 type systemd_user_tmpfs_t;
 userdom_user_tmpfs_file(systemd_user_tmpfs_t)
 
-type systemd_userdb_runtime_t;
-files_runtime_file(systemd_userdb_runtime_t)
+type systemd_userdbd_t;
+type systemd_userdbd_exec_t;
+init_daemon_domain(systemd_userdbd_t, systemd_userdbd_exec_t)
+
+type systemd_userdbd_runtime_t alias systemd_userdb_runtime_t;
+files_runtime_file(systemd_userdbd_runtime_t)
+
+type systemd_userdbd_unit_t;
+init_unit_file(systemd_userdbd_unit_t)
 
 type systemd_user_unit_t;
 init_unit_file(systemd_user_unit_t)
@@ -469,6 +498,8 @@ kernel_use_fds(systemd_generator_t)
 kernel_read_system_state(systemd_generator_t)
 kernel_read_kernel_sysctls(systemd_generator_t)
 kernel_dontaudit_getattr_proc(systemd_generator_t)
+# Where an unlabeled mountpoint is encounted:
+kernel_dontaudit_search_unlabeled(systemd_generator_t)
 
 storage_raw_read_fixed_disk(systemd_generator_t)
 
@@ -493,6 +524,125 @@ optional_policy(`
 	miscfiles_read_localization(systemd_generator_t)
 ')
 
+#######################################
+#
+# systemd-homed policy
+#
+
+dontaudit systemd_homed_t self:capability { sys_resource sys_admin };
+allow systemd_homed_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+nnp_domtrans_pattern(systemd_homed_t, systemd_homework_exec_t, systemd_homework_t)
+
+allow systemd_homed_t systemd_homed_tmpfs_t:file manage_file_perms;
+fs_tmpfs_filetrans(systemd_homed_t, systemd_homed_tmpfs_t, file)
+
+manage_sock_files_pattern(systemd_homed_t, systemd_userdbd_runtime_t, systemd_homed_runtime_t)
+manage_dirs_pattern(systemd_homed_t, systemd_homed_runtime_t, systemd_homed_runtime_t)
+filetrans_pattern(systemd_homed_t, systemd_userdbd_runtime_t, systemd_homed_runtime_t, sock_file)
+init_runtime_filetrans(systemd_homed_t, systemd_homed_runtime_t, dir)
+
+allow systemd_homed_t systemd_homed_storage_t:file read_file_perms;
+
+allow systemd_homed_t systemd_homed_var_lib_t:dir manage_dir_perms;
+allow systemd_homed_t systemd_homed_var_lib_t:file manage_file_perms;
+init_var_lib_filetrans(systemd_homed_t, systemd_homed_var_lib_t, dir)
+
+# Entries such as /sys/devices/virtual/block/loop1/uevent:
+dev_read_sysfs(systemd_homed_t)
+
+files_list_home(systemd_homed_t)
+files_watch_home(systemd_homed_t)
+files_read_etc_files(systemd_homed_t)
+files_search_tmp(systemd_homed_t)
+
+fs_get_xattr_fs_quotas(systemd_homed_t)
+fs_getattr_all_fs(systemd_homed_t)
+
+kernel_read_kernel_sysctls(systemd_homed_t)
+kernel_read_crypto_sysctls(systemd_homed_t)
+kernel_read_system_state(systemd_homed_t)
+
+systemd_log_parse_environment(systemd_homed_t)
+
+udev_read_runtime_files(systemd_homed_t)
+
+optional_policy(`
+	dbus_system_bus_client(systemd_homed_t)
+	dbus_connect_system_bus(systemd_homed_t)
+
+	init_dbus_chat(systemd_homed_t)
+')
+
+optional_policy(`
+	mta_list_spool(systemd_homed_t)
+')
+
+optional_policy(`
+	unconfined_dbus_send(systemd_homed_t)
+')
+
+#######################################
+#
+# systemd-homework policy
+#
+
+allow systemd_homework_t self:capability { chown fowner fsetid sys_admin };
+dontaudit systemd_homework_t self:capability sys_resource;
+allow systemd_homework_t self:key { search write };
+allow systemd_homework_t self:process getsched;
+allow systemd_homework_t self:sem create_sem_perms;
+
+allow systemd_homework_t systemd_homed_runtime_t:file manage_file_perms;
+allow systemd_homework_t systemd_homed_runtime_t:dir manage_dir_perms;
+files_runtime_filetrans(systemd_homework_t, systemd_homed_runtime_t, file)
+init_runtime_filetrans(systemd_homework_t, systemd_homed_runtime_t, dir)
+
+# mount on /run/systemd/user-home-mount
+allow systemd_homework_t systemd_homed_runtime_t:dir mounton;
+
+allow systemd_homework_t systemd_homed_storage_t:file manage_file_perms;
+files_home_filetrans(systemd_homework_t, systemd_homed_storage_t, file)
+
+allow systemd_homework_t systemd_homed_tmpfs_t:file rw_inherited_file_perms;
+
+dev_rw_loop_control(systemd_homework_t)
+dev_read_rand(systemd_homework_t)
+dev_read_urand(systemd_homework_t)
+dev_rw_lvm_control(systemd_homework_t)
+# Entries such as /sys/devices/virtual/block/loop1/uevent:
+dev_read_sysfs(systemd_homework_t)
+
+files_read_etc_files(systemd_homework_t)
+files_mounton_runtime_dirs(systemd_homework_t)
+
+fs_getattr_all_fs(systemd_homework_t)
+fs_search_all(systemd_homework_t)
+fs_mount_xattr_fs(systemd_homework_t)
+fs_unmount_xattr_fs(systemd_homework_t)
+
+fstools_exec(systemd_homework_t)
+
+init_rw_inherited_stream_socket(systemd_homework_t)
+init_use_fds(systemd_homework_t)
+init_dontaudit_search_keys(systemd_homework_t)
+
+kernel_write_key(systemd_homework_t)
+kernel_get_sysvipc_info(systemd_homework_t)
+kernel_request_load_module(systemd_homework_t)
+
+kernel_read_kernel_sysctls(systemd_homework_t)
+kernel_read_crypto_sysctls(systemd_homework_t)
+kernel_read_system_state(systemd_homework_t)
+
+# loopback:
+storage_raw_read_fixed_disk(systemd_homework_t)
+storage_raw_write_fixed_disk(systemd_homework_t)
+
+systemd_log_parse_environment(systemd_homework_t)
+
+udev_read_runtime_files(systemd_homework_t)
+
 #######################################
 #
 # Hostnamed policy
@@ -623,6 +773,8 @@ allow systemd_logind_t systemd_sessions_runtime_t:dir manage_dir_perms;
 allow systemd_logind_t systemd_sessions_runtime_t:file manage_file_perms;
 allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_perms;
 
+stream_connect_pattern(systemd_logind_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t, systemd_userdbd_t)
+
 kernel_dontaudit_getattr_proc(systemd_logind_t)
 kernel_read_kernel_sysctls(systemd_logind_t)
 
@@ -787,6 +939,8 @@ allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_chr_file_perm
 manage_files_pattern(systemd_machined_t, systemd_machined_runtime_t, systemd_machined_runtime_t)
 allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_perms;
 
+manage_sock_files_pattern(systemd_machined_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
+
 kernel_read_kernel_sysctls(systemd_machined_t)
 kernel_read_system_state(systemd_machined_t)
 
@@ -1578,6 +1732,42 @@ udev_list_runtime(systemd_user_session_type)
 
 seutil_libselinux_linked(systemd_user_session_type)
 
+########################################
+#
+# systemd-userdbd local policy
+#
+
+allow systemd_userdbd_t self:capability dac_read_search;
+allow systemd_userdbd_t self:process signal;
+
+stream_connect_pattern(systemd_userdbd_t, systemd_homed_runtime_t, systemd_homed_runtime_t, systemd_homed_t)
+
+manage_dirs_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
+manage_files_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
+manage_sock_files_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
+init_runtime_filetrans(systemd_userdbd_t, systemd_userdbd_runtime_t, dir)
+
+can_exec(systemd_userdbd_t, systemd_userdbd_exec_t)
+
+auth_read_shadow(systemd_userdbd_t)
+auth_use_nsswitch(systemd_userdbd_t)
+
+dev_read_urand(systemd_userdbd_t)
+
+files_read_etc_files(systemd_userdbd_t)
+files_read_etc_runtime_files(systemd_userdbd_t)
+files_read_usr_files(systemd_userdbd_t)
+
+fs_read_efivarfs_files(systemd_userdbd_t)
+
+init_stream_connect(systemd_userdbd_t)
+init_search_runtime(systemd_userdbd_t)
+init_read_state(systemd_userdbd_t)
+
+kernel_read_kernel_sysctls(systemd_userdbd_t)
+
+systemd_log_parse_environment(systemd_userdbd_t)
+
 #########################################
 #
 # systemd-user-runtime-dir local policy
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 31a11b989..dcf510185 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -912,6 +912,10 @@ template(`userdom_common_user_template',`
 		usernetctl_run($1_t, $1_r)
 	')
 
+	optional_policy(`
+		systemd_stream_connect_userdb($1_t)
+	')
+
 	optional_policy(`
 		virt_home_filetrans_virt_home($1_t, dir, ".libvirt")
 		virt_home_filetrans_virt_home($1_t, dir, ".virtinst")
diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
index 4b689be9c..fea708f9b 100644
--- a/policy/support/misc_patterns.spt
+++ b/policy/support/misc_patterns.spt
@@ -60,6 +60,34 @@ define(`domtrans_pattern',`
 	allow $3 $1:process sigchld;
 ')
 
+#
+# Automatic domain transition patterns
+# with NoNewPerms
+#
+# Parameters:
+# 1. source domain
+# 2. entry point file type
+# 3. target domain
+#
+define(`nnp_domtrans_pattern',`
+	domtrans_pattern($1,$2,$3)
+	allow $1 $3:process2 nnp_transition;
+')
+
+#
+# Automatic domain transition patterns
+# on nosuid filesystem
+#
+# Parameters:
+# 1. source domain
+# 2. entry point file type
+# 3. target domain
+#
+define(`nosuid_domtrans_pattern',`
+	domtrans_pattern($1,$2,$3)
+	allow $1 $3:process2 nosuid_transition;
+')
+
 #
 # Dynamic transition pattern
 #

From 71b3fce22bcb7eb97ddd705116ac144404379da2 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Date: Mon, 3 Jan 2022 21:17:56 +0000
Subject: [PATCH 2/4] systemd, ssh: Crypto sysctl use.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
---
 policy/modules/services/ssh.te   | 1 +
 policy/modules/system/systemd.te | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 94d8c6f07..77f7b30bb 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -339,6 +339,7 @@ allow ssh_keygen_t sshd_key_t:file manage_file_perms;
 files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
 
 kernel_read_kernel_sysctls(ssh_keygen_t)
+kernel_read_crypto_sysctls(ssh_keygen_t)
 kernel_dontaudit_getattr_proc(ssh_keygen_t)
 kernel_dontaudit_read_system_state(ssh_keygen_t)
 
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 83d0aeab0..ca2eaef8d 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -697,6 +697,8 @@ selinux_use_status_page(systemd_hw_t)
 init_read_state(systemd_hw_t)
 init_search_runtime(systemd_hw_t)
 
+kernel_read_crypto_sysctls(systemd_hw_t)
+
 seutil_read_config(systemd_hw_t)
 seutil_read_file_contexts(systemd_hw_t)
 

From 0b19aaef3c0166f5037cf93d68a0eaacf8947178 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Date: Mon, 3 Jan 2022 21:21:59 +0000
Subject: [PATCH 3/4] systemd: Additional fixes for fs getattrs.

This may need to be allowed more broadly.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
---
 policy/modules/system/systemd.te | 36 +++++++++++++++++++++++++-------
 1 file changed, 29 insertions(+), 7 deletions(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index ca2eaef8d..0f7dfe0b3 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -478,8 +478,7 @@ files_search_all_mountpoints(systemd_generator_t)
 files_list_usr(systemd_generator_t)
 
 fs_list_efivars(systemd_generator_t)
-fs_getattr_cgroup(systemd_generator_t)
-fs_getattr_xattr_fs(systemd_generator_t)
+fs_getattr_all_fs(systemd_generator_t)
 
 init_create_runtime_files(systemd_generator_t)
 init_manage_runtime_dirs(systemd_generator_t)
@@ -691,6 +690,9 @@ files_etc_filetrans(systemd_hw_t, systemd_hwdb_t, file)
 
 files_search_runtime(systemd_hw_t)
 
+fs_getattr_all_fs(systemd_hw_t)
+fs_search_cgroup_dirs(systemd_hw_t)
+
 selinux_get_fs_mount(systemd_hw_t)
 selinux_use_status_page(systemd_hw_t)
 
@@ -810,6 +812,7 @@ fs_read_cgroup_files(systemd_logind_t)
 fs_read_efivarfs_files(systemd_logind_t)
 fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
 fs_unmount_tmpfs(systemd_logind_t)
+fs_getattr_xattr_fs(systemd_logind_t)
 
 selinux_use_status_page(systemd_logind_t)
 
@@ -882,7 +885,6 @@ ifdef(`distro_redhat',`
 
 tunable_policy(`systemd_logind_get_bootloader',`
 	fs_getattr_dos_fs(systemd_logind_t)
-	fs_getattr_xattr_fs(systemd_logind_t)
 	fs_list_dos(systemd_logind_t)
 	fs_read_dos_files(systemd_logind_t)
 
@@ -1045,8 +1047,8 @@ files_read_etc_files(systemd_networkd_t)
 files_watch_runtime_dirs(systemd_networkd_t)
 files_watch_root_dirs(systemd_networkd_t)
 files_list_runtime(systemd_networkd_t)
-fs_getattr_xattr_fs(systemd_networkd_t)
-fs_getattr_cgroup(systemd_networkd_t)
+
+fs_getattr_all_fs(systemd_networkd_t)
 fs_search_cgroup_dirs(systemd_networkd_t)
 fs_read_nsfs_files(systemd_networkd_t)
 
@@ -1385,6 +1387,9 @@ files_watch_root_dirs(systemd_resolved_t)
 files_watch_runtime_dirs(systemd_resolved_t)
 files_list_runtime(systemd_resolved_t)
 
+fs_getattr_all_fs(systemd_resolved_t)
+fs_search_cgroup_dirs(systemd_resolved_t)
+
 init_dgram_send(systemd_resolved_t)
 
 seutil_read_file_contexts(systemd_resolved_t)
@@ -1435,6 +1440,9 @@ allow systemd_sessions_t self:process setfscreate;
 allow systemd_sessions_t systemd_sessions_runtime_t:file manage_file_perms;
 files_runtime_filetrans(systemd_sessions_t, systemd_sessions_runtime_t, file)
 
+fs_getattr_all_fs(systemd_sessions_t)
+fs_search_cgroup_dirs(systemd_sessions_t)
+
 kernel_read_kernel_sysctls(systemd_sessions_t)
 kernel_dontaudit_getattr_proc(systemd_sessions_t)
 
@@ -1464,6 +1472,9 @@ kernel_dontaudit_getattr_proc(systemd_sysctl_t)
 
 files_read_etc_files(systemd_sysctl_t)
 
+fs_getattr_all_fs(systemd_sysctl_t)
+fs_search_cgroup_dirs(systemd_sysctl_t)
+
 systemd_log_parse_environment(systemd_sysctl_t)
 
 #########################################
@@ -1477,6 +1488,9 @@ allow systemd_sysusers_t self:unix_dgram_socket sendto;
 
 files_manage_etc_files(systemd_sysusers_t)
 
+fs_getattr_all_fs(systemd_sysusers_t)
+fs_search_cgroup_dirs(systemd_sysusers_t)
+
 kernel_read_kernel_sysctls(systemd_sysusers_t)
 
 selinux_use_status_page(systemd_sysusers_t)
@@ -1560,10 +1574,10 @@ files_setattr_lock_dirs(systemd_tmpfiles_t)
 # for /etc/mtab
 files_manage_etc_symlinks(systemd_tmpfiles_t)
 
-fs_getattr_tmpfs(systemd_tmpfiles_t)
-fs_getattr_xattr_fs(systemd_tmpfiles_t)
 fs_list_tmpfs(systemd_tmpfiles_t)
 fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t)
+fs_getattr_all_fs(systemd_tmpfiles_t)
+fs_search_cgroup_dirs(systemd_tmpfiles_t)
 
 selinux_get_fs_mount(systemd_tmpfiles_t)
 selinux_use_status_page(systemd_tmpfiles_t)
@@ -1652,6 +1666,9 @@ allow systemd_update_done_t systemd_update_run_t:file manage_file_perms;
 files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file)
 files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file)
 
+fs_getattr_all_fs(systemd_update_done_t)
+fs_search_cgroup_dirs(systemd_update_done_t)
+
 kernel_read_kernel_sysctls(systemd_update_done_t)
 
 selinux_use_status_page(systemd_update_done_t)
@@ -1760,8 +1777,12 @@ files_read_etc_files(systemd_userdbd_t)
 files_read_etc_runtime_files(systemd_userdbd_t)
 files_read_usr_files(systemd_userdbd_t)
 
+fs_getattr_all_fs(systemd_userdbd_t)
+fs_search_cgroup_dirs(systemd_userdbd_t)
 fs_read_efivarfs_files(systemd_userdbd_t)
 
+kernel_read_system_state(systemd_userdbd_t)
+
 init_stream_connect(systemd_userdbd_t)
 init_search_runtime(systemd_userdbd_t)
 init_read_state(systemd_userdbd_t)
@@ -1792,6 +1813,7 @@ fs_unmount_tmpfs(systemd_user_runtime_dir_t)
 fs_relabelfrom_tmpfs_dirs(systemd_user_runtime_dir_t)
 fs_read_cgroup_files(systemd_user_runtime_dir_t)
 fs_getattr_cgroup(systemd_user_runtime_dir_t)
+fs_getattr_xattr_fs(systemd_user_runtime_dir_t)
 
 kernel_read_kernel_sysctls(systemd_user_runtime_dir_t)
 kernel_dontaudit_getattr_proc(systemd_user_runtime_dir_t)

From 80598ee30d1d507fb34df5119632a14343218fd6 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Date: Wed, 5 Jan 2022 17:02:06 +0000
Subject: [PATCH 4/4] systemd: Updates for generators and
 kmod-static-nodes.service.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
---
 policy/modules/system/logging.te  | 1 +
 policy/modules/system/modutils.fc | 1 +
 policy/modules/system/systemd.te  | 5 ++++-
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index aedbbdc02..768aba5bd 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -549,6 +549,7 @@ ifdef(`init_systemd',`
 	init_dgram_send(syslogd_t)
 	init_read_runtime_pipes(syslogd_t)
 	init_read_runtime_symlinks(syslogd_t)
+	init_read_runtime_files(syslogd_t)
 	init_read_state(syslogd_t)
 
 	# needed for systemd-initrd case when syslog socket is unlabelled
diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
index c4eda80c4..323120062 100644
--- a/policy/modules/system/modutils.fc
+++ b/policy/modules/system/modutils.fc
@@ -10,6 +10,7 @@ ifdef(`distro_gentoo',`
 
 ifdef(`init_systemd',`
 /run/tmpfiles\.d/kmod\.conf	--	gen_context(system_u:object_r:kmod_tmpfiles_conf_t,s0)
+/run/tmpfiles\.d/static-nodes\.conf --  gen_context(system_u:object_r:kmod_tmpfiles_conf_t,s0)
 ')
 
 /usr/bin/depmod.*		--	gen_context(system_u:object_r:kmod_exec_t,s0)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 0f7dfe0b3..d79b7b759 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -506,7 +506,7 @@ systemd_log_parse_environment(systemd_generator_t)
 
 term_use_unallocated_ttys(systemd_generator_t)
 
-udev_search_runtime(systemd_generator_t)
+udev_read_runtime_files(systemd_generator_t)
 
 ifdef(`distro_gentoo',`
 	corecmd_shell_entry_type(systemd_generator_t)
@@ -1442,6 +1442,8 @@ files_runtime_filetrans(systemd_sessions_t, systemd_sessions_runtime_t, file)
 
 fs_getattr_all_fs(systemd_sessions_t)
 fs_search_cgroup_dirs(systemd_sessions_t)
+fs_search_tmpfs(systemd_sessions_t)
+fs_search_ramfs(systemd_sessions_t)
 
 kernel_read_kernel_sysctls(systemd_sessions_t)
 kernel_dontaudit_getattr_proc(systemd_sessions_t)
@@ -1600,6 +1602,7 @@ init_read_state(systemd_tmpfiles_t)
 
 init_relabel_utmp(systemd_tmpfiles_t)
 init_relabel_var_lib_dirs(systemd_tmpfiles_t)
+init_read_runtime_files(systemd_tmpfiles_t)
 
 logging_manage_generic_logs(systemd_tmpfiles_t)
 logging_manage_generic_log_dirs(systemd_tmpfiles_t)