From 3b5e622339db66fec2b95f15a58b9290af42ed96 Mon Sep 17 00:00:00 2001
From: Krzysztof Nowicki <krissn@op.pl>
Date: Sun, 14 May 2017 17:24:03 +0200
Subject: [PATCH] Enable /etc directory protection using ProtectSystem

Setting this service option to 'full' or 'strict' will also remount the
/etc directory. Allow this in the policy.

This fixes the systemd-networkd service, but will also positively affect
any other service using the above hardening option.
---
 policy/modules/kernel/files.if | 19 +++++++++++++++++++
 policy/modules/system/init.te  |  1 +
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 8a6403138..ac5714fd4 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2849,6 +2849,25 @@ interface(`files_relabelto_etc_dirs',`
 	allow $1 etc_t:dir relabelto;
 ')
 
+########################################
+## <summary>
+##	Mount a filesystem on the
+##	etc directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_mounton_etc_dirs',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:dir mounton;
+')
+
 ########################################
 ## <summary>
 ##	Read generic files in /etc.
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 9a647835a..b77b48744 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -288,6 +288,7 @@ ifdef(`init_systemd',`
 	files_search_kernel_modules(init_t)
 	# for privatetmp functions
 	files_mounton_tmp(init_t)
+	files_mounton_etc_dirs(init_t)
 
 	fs_relabel_cgroup_dirs(init_t)
 	fs_rw_cgroup_files(init_t)