allow most common permissions for systemd sandboxing options

Signed-off-by: bauen1 <j2468h@gmail.com>

policy/modules/kernel/devices.if

@@ -3791,6 +3791,24 @@ interface(`dev_write_rand',`
 	write_chr_files_pattern($1, device_t, random_device_t)
 ')
 
+########################################
+## <summary>
+##  Create the random device (/dev/random).
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`dev_create_rand_dev',`
+	gen_require(`
+		type device_t, random_device_t;
+	')
+
+	create_chr_files_pattern($1, device_t, random_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Read the realtime clock (/dev/rtc).
@@ -4675,6 +4693,24 @@ interface(`dev_write_urand',`
 	write_chr_files_pattern($1, device_t, urandom_device_t)
 ')
 
+########################################
+## <summary>
+##  Create the urandom device (/dev/urandom).
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`dev_create_urand_dev',`
+	gen_require(`
+		type device_t, urandom_device_t;
+	')
+
+	create_chr_files_pattern($1, device_t, urandom_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Getattr generic the USB devices.

policy/modules/kernel/terminal.if

@@ -729,6 +729,27 @@ interface(`term_dontaudit_use_generic_ptys',`
 	dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
 ')
 
+#######################################
+## <summary>
+##  Create the tty device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_create_controlling_term',`
+	gen_require(`
+		type devtty_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	dev_add_entry_generic_dirs($1)
+	allow $1 devtty_t:chr_file create_chr_file_perms;
+	allow $1 self:capability mknod;
+')
+
 #######################################
 ## <summary>
 ##	Set the attributes of the tty device
@@ -768,6 +789,26 @@ interface(`term_use_controlling_term',`
 	allow $1 devtty_t:chr_file { rw_term_perms lock append };
 ')
 
+#######################################
+## <summary>
+##  Create the pty multiplexor (/dev/ptmx).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`term_create_ptmx',`
+	gen_require(`
+		type ptmx_t;
+	')
+
+	dev_add_entry_generic_dirs($1)
+	allow $1 ptmx_t:chr_file create_chr_file_perms;
+	allow $1 self:capability mknod;
+')
+
 #######################################
 ## <summary>
 ##	Get the attributes of the pty multiplexor (/dev/ptmx).

policy/modules/system/init.te

@@ -332,6 +332,11 @@ ifdef(`init_systemd',`
 	dev_manage_sysfs_dirs(init_t)
 	dev_relabel_sysfs_dirs(init_t)
 	dev_read_usbfs(initrc_t)
+	# sandbox
+	dev_create_null_dev(init_t)
+	dev_create_zero_dev(init_t)
+	dev_create_rand_dev(init_t)
+	dev_create_urand_dev(init_t)
 	# systemd writes to /dev/watchdog on shutdown
 	dev_write_watchdog(init_t)
 
@@ -458,6 +463,8 @@ ifdef(`init_systemd',`
 	systemd_rw_networkd_netlink_route_sockets(init_t)
 
 	term_create_devpts_dirs(init_t)
+	term_create_ptmx(init_t)
+	term_create_controlling_term(init_t)
 
 	# udevd is a "systemd kobject uevent socket activated daemon"
 	udev_create_kobject_uevent_sockets(init_t)