various: fixes for libvirtd and systemd-machined

Signed-off-by: Kenton Groombridge <me@concord.sh>

policy/modules/kernel/devices.if

@@ -4820,6 +4820,24 @@ interface(`dev_create_urand_dev',`
 	create_chr_files_pattern($1, device_t, urandom_device_t)
 ')
 
+########################################
+## <summary>
+##  Set attributes on the urandom device (/dev/urandom).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_urand_dev',`
+	gen_require(`
+		type device_t, urandom_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, urandom_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Getattr generic the USB devices.

policy/modules/services/dbus.te

@@ -236,6 +236,7 @@ optional_policy(`
 	systemd_write_inherited_logind_inhibit_pipes(system_dbusd_t)
 	systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
 
+	systemd_connect_machined(system_dbusd_t)
 	# for passing around terminal file handles for machinectl shell
 	systemd_use_inherited_machined_ptys(system_dbusd_t)
 

policy/modules/services/policykit.te

@@ -134,7 +134,9 @@ optional_policy(`
 
 optional_policy(`
 	# for /run/systemd/machines
+	systemd_connect_machined(policykit_t)
 	systemd_read_machines(policykit_t)
+	systemd_watch_machines_dirs(policykit_t)
 
 	# for /run/systemd/seats/seat*
 	systemd_read_logind_sessions_files(policykit_t)

policy/modules/services/virt.te

@@ -206,6 +206,7 @@ files_type(virtlockd_var_lib_t)
 type virtlogd_t;
 type virtlogd_exec_t;
 init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+init_named_socket_activation(virtlogd_t, virt_runtime_t)
 
 type virtlogd_run_t;
 files_runtime_file(virtlogd_run_t)
@@ -451,6 +452,8 @@ tunable_policy(`virt_use_evdev',`
 
 allow virtd_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_chroot sys_nice sys_ptrace };
 dontaudit virtd_t self:capability { sys_module sys_ptrace };
+allow virtd_t self:capability2 { bpf perfmon };
+allow virtd_t self:bpf { map_create map_read map_write prog_load prog_run };
 allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched };
 allow virtd_t self:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
 allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
@@ -522,7 +525,8 @@ allow virtd_t virt_image_type:file relabel_file_perms;
 allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
 allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
 allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:sock_file manage_sock_file_perms;
+# relabel needed for qemu guest agent sockets
+allow virtd_t virt_image_type:sock_file { manage_sock_file_perms relabel_sock_file_perms };
 
 allow virtd_t virt_ptynode:chr_file rw_term_perms;
 
@@ -691,6 +695,15 @@ sysnet_domtrans_ifconfig(virtd_t)
 
 userdom_read_all_users_state(virtd_t)
 
+ifdef(`init_systemd',`
+	init_read_utmp(virtd_t)
+
+	systemd_dbus_chat_logind(virtd_t)
+
+	systemd_connect_machined(virtd_t)
+	systemd_dbus_chat_machined(virtd_t)
+')
+
 tunable_policy(`virt_use_fusefs',`
 	fs_manage_fusefs_dirs(virtd_t)
 	fs_manage_fusefs_files(virtd_t)

policy/modules/system/systemd.if

@@ -1461,6 +1461,24 @@ interface(`systemd_read_machines',`
 	allow $1 systemd_machined_runtime_t:file read_file_perms;
 ')
 
+########################################
+## <summary>
+##	Allow watching /run/systemd/machines
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_watch_machines_dirs',`
+	gen_require(`
+		type systemd_machined_runtime_t;
+	')
+
+	allow $1 systemd_machined_runtime_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##     Allow connecting to /run/systemd/userdb/io.systemd.Machine socket

policy/modules/system/systemd.te

@@ -992,15 +992,18 @@ allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_per
 
 manage_sock_files_pattern(systemd_machined_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
 
+kernel_getattr_proc(systemd_machined_t)
 kernel_read_kernel_sysctls(systemd_machined_t)
 kernel_read_system_state(systemd_machined_t)
 
 dev_getattr_fs(systemd_machined_t)
+dev_setattr_urand_dev(systemd_machined_t)
 
 files_read_etc_files(systemd_machined_t)
 
 fs_getattr_cgroup(systemd_machined_t)
 fs_getattr_tmpfs(systemd_machined_t)
+fs_getattr_xattr_fs(systemd_machined_t)
 fs_read_nsfs_files(systemd_machined_t)
 
 selinux_getattr_fs(systemd_machined_t)
@@ -1015,6 +1018,9 @@ init_stop_system(systemd_machined_t)
 init_get_generic_units_status(systemd_machined_t)
 init_start_generic_units(systemd_machined_t)
 init_stop_generic_units(systemd_machined_t)
+init_get_transient_units_status(systemd_machined_t)
+init_start_transient_units(systemd_machined_t)
+init_stop_transient_units(systemd_machined_t)
 
 logging_send_syslog_msg(systemd_machined_t)