bootloader, init, udev: misc minor fixes

Resolve these AVCs seen during early boot with systemd 255:

Jan 12 15:42:02 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092122.714:4): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=netlink_netfilter_socket permissive=0

Jan 12 15:42:03 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092123.656:7): avc:  denied  { setrlimit } for  pid=2578 comm="systemd-udevd" scontext=system_u:system_r:udev_t:s0 tcontext=system_u:system_r:udev_t:s0 tclass=process permissive=0

Jan 12 15:42:04 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092124.960:9): avc:  denied  { write } for  pid=2629 comm="sysctl" name="nlm_tcpport" dev="proc" ino=31904 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=0
Jan 12 15:42:04 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092124.961:10): avc:  denied  { write } for  pid=2629 comm="sysctl" name="nlm_udpport" dev="proc" ino=31905 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=0
Jan 12 15:42:04 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092124.963:11): avc:  denied  { write } for  pid=2632 comm="sysctl" name="nlm_tcpport" dev="proc" ino=31904 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=0

Jan 12 15:42:08 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092128.530:16): avc:  denied  { net_admin } for  pid=3033 comm="bootctl" capability=12  scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:system_r:bootloader_t:s0 tclass=capability permissive=0

Signed-off-by: Kenton Groombridge <concord@gentoo.org>

policy/modules/admin/bootloader.te

@@ -42,7 +42,7 @@ dev_node(bootloader_tmp_t)
 #
 
 allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod setgid sys_admin sys_rawio };
-dontaudit bootloader_t self:capability sys_resource;
+dontaudit bootloader_t self:capability { net_admin sys_resource };
 allow bootloader_t self:process { signal_perms execmem };
 allow bootloader_t self:fifo_file rw_fifo_file_perms;
 

policy/modules/system/init.te

@@ -271,6 +271,7 @@ ifdef(`init_systemd',`
 	allow init_t self:process { getcap setcap getsched setsched };
 	allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
 	allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
+	allow init_t self:netlink_netfilter_socket create_socket_perms;
 	allow init_t self:netlink_selinux_socket create_socket_perms;
 	allow init_t self:system { status reboot halt reload };
 	# Until systemd is fixed

policy/modules/system/udev.te

@@ -40,7 +40,7 @@ optional_policy(`
 
 allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_ptrace sys_rawio sys_resource };
 allow udev_t self:capability2 { wake_alarm block_suspend };
-allow udev_t self:process { transition signal_perms ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition execmem setkeycreate setsockcreate setrlimit getrlimit };
+allow udev_t self:process { transition signal_perms ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit setrlimit };
 allow udev_t self:fd use;
 allow udev_t self:fifo_file rw_fifo_file_perms;
 allow udev_t self:sock_file read_sock_file_perms;
@@ -96,6 +96,7 @@ kernel_read_device_sysctls(udev_t)
 kernel_read_hotplug_sysctls(udev_t)
 kernel_read_modprobe_sysctls(udev_t)
 kernel_read_kernel_sysctls(udev_t)
+kernel_rw_fs_sysctls(udev_t)
 kernel_rw_hotplug_sysctls(udev_t)
 kernel_rw_unix_dgram_sockets(udev_t)
 kernel_signal(udev_t)