From 160d08f3aec78012b89155ea7fc26368ce4a597c Mon Sep 17 00:00:00 2001
From: Chris PeBenito <pebenito@ieee.org>
Date: Tue, 28 Mar 2017 18:51:35 -0400
Subject: [PATCH] systemd-resolvd, sessions, and tmpfiles take2

I believe that I have addressed all the issues Chris raised, so here's a newer
version of the patch which applies to today's git version.

Description: systemd-resolved, sessions, and tmpfiles patches
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-03-26
---
 policy/modules/contrib              |   2 +-
 policy/modules/kernel/files.if      |  92 ++++++++++++++++++++++
 policy/modules/kernel/files.te      |   2 +-
 policy/modules/services/xserver.if  |  56 +++++++++++++-
 policy/modules/services/xserver.te  |   2 +-
 policy/modules/system/init.if       |  36 +++++++++
 policy/modules/system/init.te       |   2 +-
 policy/modules/system/logging.if    | 116 ++++++++++++++++++++++++++++
 policy/modules/system/logging.te    |   2 +-
 policy/modules/system/miscfiles.if  |  19 +++++
 policy/modules/system/miscfiles.te  |   2 +-
 policy/modules/system/systemd.te    |  84 +++++++++++++++++++-
 policy/modules/system/userdomain.if |  18 +++++
 policy/modules/system/userdomain.te |   2 +-
 14 files changed, 424 insertions(+), 11 deletions(-)

diff --git a/policy/modules/contrib b/policy/modules/contrib
index aede270ab..2128180ac 160000
--- a/policy/modules/contrib
+++ b/policy/modules/contrib
@@ -1 +1 @@
-Subproject commit aede270ab97e863cbe2b8a1459b8c72ae5786356
+Subproject commit 2128180acf3e02131dfb02d7cf1835d0a1f62b1b
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 63765bd7f..c539391e4 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2831,6 +2831,24 @@ interface(`files_manage_etc_dirs',`
 	manage_dirs_pattern($1, etc_t, etc_t)
 ')
 
+########################################
+## <summary>
+##	Relabel directories to etc_t.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabelto_etc_dirs',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:dir relabelto;
+')
+
 ########################################
 ## <summary>
 ##	Read generic files in /etc.
@@ -3809,6 +3827,24 @@ interface(`files_relabelto_home',`
 	allow $1 home_root_t:dir relabelto;
 ')
 
+########################################
+## <summary>
+##	Relabel from user home root (/home).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabelfrom_home',`
+	gen_require(`
+		type home_root_t;
+	')
+
+	allow $1 home_root_t:dir relabelfrom;
+')
+
 ########################################
 ## <summary>
 ##	Create objects in /home.
@@ -5496,6 +5532,24 @@ interface(`files_manage_var_dirs',`
 	allow $1 var_t:dir manage_dir_perms;
 ')
 
+########################################
+## <summary>
+##	relabelto/from var directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabel_var_dirs',`
+	gen_require(`
+		type var_t;
+	')
+
+	allow $1 var_t:dir { relabelfrom relabelto };
+')
+
 ########################################
 ## <summary>
 ##	Read files in the /var directory.
@@ -5763,6 +5817,44 @@ interface(`files_rw_var_lib_dirs',`
 	rw_dirs_pattern($1, var_lib_t, var_lib_t)
 ')
 
+########################################
+## <summary>
+##	manage var_lib_t dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_var_lib_dirs',`
+	gen_require(`
+		type var_t, var_lib_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_lib_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	relabel var_lib_t dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabel_var_lib_dirs',`
+	gen_require(`
+		type var_t, var_lib_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_lib_t:dir { relabelfrom relabelto };
+')
+
 ########################################
 ## <summary>
 ##	Create objects in the /var/lib directory
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 9f911efdb..10001b152 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.23.7)
+policy_module(files, 1.23.8)
 
 ########################################
 #
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 060adbfab..eae74b67b 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -698,6 +698,42 @@ interface(`xserver_rw_console',`
 	allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms;
 ')
 
+########################################
+## <summary>
+##      Create the X windows console named pipes.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`xserver_create_console_pipes',`
+	gen_require(`
+		type xconsole_device_t;
+	')
+
+	allow $1 xconsole_device_t:fifo_file create;
+')
+
+########################################
+## <summary>
+##      relabel the X windows console named pipes.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`xserver_relabel_console_pipes',`
+	gen_require(`
+		type xconsole_device_t;
+	')
+
+	allow $1 xconsole_device_t:fifo_file { getattr relabelfrom relabelto };
+')
+
 ########################################
 ## <summary>
 ##	Use file descriptors for xdm.
@@ -788,7 +824,7 @@ interface(`xserver_dbus_chat_xdm',`
 	gen_require(`
 		type xdm_t;
 		class dbus send_msg;
-        ')
+	')
 
 	allow $1 xdm_t:dbus send_msg;
 	allow xdm_t $1:dbus send_msg;
@@ -1162,6 +1198,24 @@ interface(`xserver_read_xkb_libs',`
 	read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
 ')
 
+########################################
+## <summary>
+##      Create xdm temporary directories.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to allow access.
+##      </summary>
+## </param>
+#
+interface(`xserver_create_xdm_tmp_dirs',`
+	gen_require(`
+		type xdm_tmp_t;
+	')
+
+	allow $1 xdm_tmp_t:dir create;
+')
+
 ########################################
 ## <summary>
 ##	Read xdm temporary files.
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 65401ca84..427e1278b 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.13.4)
+policy_module(xserver, 3.13.5)
 
 gen_require(`
 	class x_drawable all_x_drawable_perms;
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 95d328074..5a6e12dbb 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1084,6 +1084,24 @@ interface(`init_list_var_lib_dirs',`
 	allow $1 init_var_lib_t:dir list_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Relabel dirs in /var/lib/systemd/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_relabel_var_lib_dirs',`
+	gen_require(`
+		type init_var_lib_t;
+	')
+
+	allow $1 init_var_lib_t:dir { relabelfrom relabelto };
+')
+
 ########################################
 ## <summary>
 ##	Manage files in /var/lib/systemd/.
@@ -2517,6 +2535,24 @@ interface(`init_manage_utmp',`
 	allow $1 initrc_var_run_t:file manage_file_perms;
 ')
 
+########################################
+## <summary>
+##	Relabel utmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_relabel_utmp',`
+	gen_require(`
+		type initrc_var_run_t;
+	')
+
+	allow $1 initrc_var_run_t:file { relabelfrom relabelto };
+')
+
 ########################################
 ## <summary>
 ##	Create files in /var/run with the
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 8ca490aac..f09b0f47d 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.2.12)
+policy_module(init, 2.2.13)
 
 gen_require(`
 	class passwd rootok;
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 8bba7ac8d..afeea44e6 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -433,6 +433,82 @@ interface(`logging_domtrans_syslog',`
 	domtrans_pattern($1, syslogd_exec_t, syslogd_t)
 ')
 
+########################################
+## <summary>
+##	Set the attributes of syslog temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_setattr_syslogd_tmp_files',`
+	gen_require(`
+		type syslogd_tmp_t;
+	')
+
+	allow $1 syslogd_tmp_t:file setattr;
+')
+
+########################################
+## <summary>
+##	Relabel to and from syslog temporary file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_relabel_syslogd_tmp_files',`
+	gen_require(`
+		type syslogd_tmp_t;
+	')
+
+	allow $1 syslogd_tmp_t:file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+##	Set the attributes of syslog temporary directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_setattr_syslogd_tmp_dirs',`
+	gen_require(`
+		type syslogd_tmp_t;
+	')
+
+	allow $1 syslogd_tmp_t:dir setattr;
+')
+
+########################################
+## <summary>
+##	Relabel to and from syslog temporary directory type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_relabel_syslogd_tmp_dirs',`
+	gen_require(`
+		type syslogd_tmp_t;
+	')
+
+	allow $1 syslogd_tmp_t:dir { relabelfrom relabelto };
+')
+
 ########################################
 ## <summary>
 ##	Create an object in the log directory, with a private type.
@@ -920,6 +996,46 @@ interface(`logging_manage_all_logs',`
 	read_lnk_files_pattern($1, logfile, logfile)
 ')
 
+########################################
+## <summary>
+##	Create, read, write, and delete generic log directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_manage_generic_log_dirs',`
+	gen_require(`
+		type var_log_t;
+	')
+
+	files_search_var($1)
+	allow $1 var_log_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Relabel from and to generic log directory type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_relabel_generic_log_dirs',`
+	gen_require(`
+		type var_log_t;
+	')
+
+	files_search_var($1)
+	allow $1 var_log_t:dir { relabelfrom relabelto };
+')
+
 ########################################
 ## <summary>
 ##	Read generic log files.
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 0cf9f7289..18717a88b 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.25.8)
+policy_module(logging, 1.25.9)
 
 ########################################
 #
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 4ed5580ee..f48b32b9d 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -620,6 +620,25 @@ interface(`miscfiles_manage_man_cache',`
 	allow $1 man_cache_t:lnk_file manage_lnk_file_perms;
 ')
 
+########################################
+## <summary>
+##      Relabel from and to man cache.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`miscfiles_relabel_man_cache',`
+	gen_require(`
+		type man_cache_t;
+	')
+
+	relabel_dirs_pattern($1, man_cache_t, man_cache_t)
+	relabel_files_pattern($1, man_cache_t, man_cache_t)
+')
+
 ########################################
 ## <summary>
 ##	Read public files used for file
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index ec4d8dc07..3b180a361 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -1,4 +1,4 @@
-policy_module(miscfiles, 1.12.1)
+policy_module(miscfiles, 1.12.2)
 
 ########################################
 #
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index f5af4ce4e..e1f4c3a72 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.3.13)
+policy_module(systemd, 1.3.14)
 
 #########################################
 #
@@ -613,9 +613,18 @@ optional_policy(`
 # Sessions local policy
 #
 
+allow systemd_sessions_t self:process setfscreate;
+
 allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
 files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
 
+selinux_get_enforce_mode(systemd_sessions_t)
+selinux_get_fs_mount(systemd_sessions_t)
+
+seutil_read_config(systemd_sessions_t)
+seutil_read_default_contexts(systemd_sessions_t)
+seutil_read_file_contexts(systemd_sessions_t)
+
 systemd_log_parse_environment(systemd_sessions_t)
 
 #########################################
@@ -623,9 +632,14 @@ systemd_log_parse_environment(systemd_sessions_t)
 # Tmpfiles local policy
 #
 
-allow systemd_tmpfiles_t self:capability  { chown dac_override fowner fsetid mknod };
+allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod net_admin sys_admin };
 allow systemd_tmpfiles_t self:process { setfscreate getcap };
 
+allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { relabelfrom relabelto manage_dir_perms };
+allow systemd_tmpfiles_t systemd_coredump_var_lib_t:file manage_file_perms;
+
+allow systemd_tmpfiles_t systemd_sessions_var_run_t:file { relabelfrom relabelto manage_file_perms };
+
 manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
 manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
 allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto };
@@ -635,25 +649,74 @@ allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
 allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
 
 kernel_read_kernel_sysctls(systemd_tmpfiles_t)
+kernel_read_network_state(systemd_tmpfiles_t)
 
+dev_manage_all_dev_nodes(systemd_tmpfiles_t)
+dev_read_urand(systemd_tmpfiles_t)
 dev_relabel_all_sysfs(systemd_tmpfiles_t)
 dev_read_urand(systemd_tmpfiles_t)
 dev_manage_all_dev_nodes(systemd_tmpfiles_t)
 
+files_create_lock_dirs(systemd_tmpfiles_t)
+files_manage_all_pid_dirs(systemd_tmpfiles_t)
+files_delete_usr_files(systemd_tmpfiles_t)
+files_list_home(systemd_tmpfiles_t)
+files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
+files_manage_var_dirs(systemd_tmpfiles_t)
+files_manage_var_lib_dirs(systemd_tmpfiles_t)
+files_purge_tmp(systemd_tmpfiles_t)
 files_read_etc_files(systemd_tmpfiles_t)
 files_relabel_all_lock_dirs(systemd_tmpfiles_t)
 files_relabel_all_pid_dirs(systemd_tmpfiles_t)
 files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
+files_relabel_var_dirs(systemd_tmpfiles_t)
+files_relabel_var_lib_dirs(systemd_tmpfiles_t)
+files_relabelfrom_home(systemd_tmpfiles_t)
+files_relabelto_home(systemd_tmpfiles_t)
+files_relabelto_etc_dirs(systemd_tmpfiles_t)
+# for /etc/mtab
+files_manage_etc_symlinks(systemd_tmpfiles_t)
 
-auth_manage_var_auth(systemd_tmpfiles_t)
+fs_getattr_xattr_fs(systemd_tmpfiles_t)
+
+selinux_get_fs_mount(systemd_tmpfiles_t)
+selinux_search_fs(systemd_tmpfiles_t)
+
+auth_manage_faillog(systemd_tmpfiles_t)
 auth_manage_login_records(systemd_tmpfiles_t)
+auth_manage_var_auth(systemd_tmpfiles_t)
 auth_relabel_login_records(systemd_tmpfiles_t)
 auth_setattr_login_records(systemd_tmpfiles_t)
 
+init_manage_utmp(systemd_tmpfiles_t)
+init_manage_var_lib_files(systemd_tmpfiles_t)
+# for /proc/1/environ
+init_read_state(systemd_tmpfiles_t)
+
+init_relabel_utmp(systemd_tmpfiles_t)
+init_relabel_var_lib_dirs(systemd_tmpfiles_t)
+
+logging_manage_generic_logs(systemd_tmpfiles_t)
+logging_manage_generic_log_dirs(systemd_tmpfiles_t)
+logging_relabel_generic_log_dirs(systemd_tmpfiles_t)
+logging_relabel_syslogd_tmp_files(systemd_tmpfiles_t)
+logging_relabel_syslogd_tmp_dirs(systemd_tmpfiles_t)
+logging_setattr_syslogd_tmp_files(systemd_tmpfiles_t)
+logging_setattr_syslogd_tmp_dirs(systemd_tmpfiles_t)
+
+miscfiles_manage_man_pages(systemd_tmpfiles_t)
+miscfiles_relabel_man_cache(systemd_tmpfiles_t)
+
+seutil_read_config(systemd_tmpfiles_t)
 seutil_read_file_contexts(systemd_tmpfiles_t)
 
+sysnet_create_config(systemd_tmpfiles_t)
+
 systemd_log_parse_environment(systemd_tmpfiles_t)
 
+userdom_manage_user_runtime_root_dirs(systemd_tmpfiles_t)
+userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t)
+
 tunable_policy(`systemd_tmpfiles_manage_all',`
 	# systemd-tmpfiles can be configured to manage anything.
 	# have a last-resort option for users to do this.
@@ -662,3 +725,18 @@ tunable_policy(`systemd_tmpfiles_manage_all',`
 	files_relabel_non_security_dirs(systemd_tmpfiles_t)
 	files_relabel_non_security_files(systemd_tmpfiles_t)
 ')
+
+optional_policy(`
+	dbus_read_lib_files(systemd_tmpfiles_t)
+')
+
+optional_policy(`
+	xfs_create_tmp_dirs(systemd_tmpfiles_t)
+')
+
+optional_policy(`
+	xserver_create_console_pipes(systemd_tmpfiles_t)
+	xserver_create_xdm_tmp_dirs(systemd_tmpfiles_t)
+	xserver_relabel_console_pipes(systemd_tmpfiles_t)
+	xserver_setattr_console_pipes(systemd_tmpfiles_t)
+')
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 25fb14950..2e439d9a8 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2919,6 +2919,24 @@ interface(`userdom_manage_user_runtime_root_dirs',`
 	files_search_pids($1)
 ')
 
+########################################
+## <summary>
+##	Relabel to and from user runtime root dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_relabel_user_runtime_root_dirs',`
+	gen_require(`
+		type user_runtime_root_t;
+	')
+
+	allow $1 user_runtime_root_t:dir { relabelfrom relabelto };
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete user
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index e497cd3b7..f448f643c 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.13.5)
+policy_module(userdomain, 4.13.6)
 
 ########################################
 #