more systemd stuff from Russell Coker

This patch adds an interface to manage systemd_passwd_var_run_t symlinks that
I'll add another patch to use shortly.

It has a number of changes needed by systemd_logind_t to set permissions for
local logins.

It has some more permissions that systemd_machined_t needs, I don't think it's
everything that systemd_machined_t needs but it's a start.

It has some changes for udev_t for systemd-udevd.

policy/modules/kernel/filesystem.if

@@ -4694,6 +4694,24 @@ interface(`fs_getattr_tracefs',`
         allow $1 tracefs_t:filesystem getattr;
 ')
 
+########################################
+## <summary>
+##      search directories on a tracefs filesystem
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`fs_search_tracefs',`
+	gen_require(`
+		type tracefs_t;
+	')
+
+        allow $1 tracefs_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##      Get the attributes of files

policy/modules/kernel/filesystem.te

@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.22.6)
+policy_module(filesystem, 1.22.7)
 
 ########################################
 #

policy/modules/system/init.te

@@ -1,4 +1,4 @@
-policy_module(init, 2.2.17)
+policy_module(init, 2.2.18)
 
 gen_require(`
 	class passwd rootok;
@@ -317,7 +317,7 @@ ifdef(`init_systemd',`
 
 	seutil_read_file_contexts(init_t)
 
-	systemd_manage_lnk_file_passwd_run(init_t)
+	systemd_manage_passwd_runtime_symlinks(init_t)
 
 	# udevd is a "systemd kobject uevent socket activated daemon"
 	udev_create_kobject_uevent_sockets(init_t)

policy/modules/system/systemd.if

@@ -291,6 +291,24 @@ interface(`systemd_filetrans_passwd_runtime_dirs',`
 	init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password")
 ')
 
+######################################
+## <summary>
+##  Allow to domain to create systemd-passwd symlink
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`systemd_manage_passwd_runtime_symlinks',`
+	gen_require(`
+		type systemd_passwd_var_run_t;
+	')
+
+	allow $1 systemd_passwd_var_run_t:lnk_file manage_lnk_file_perms;
+')
+
 ########################################
 ## <summary>
 ##      manage systemd unit dirs and the files in them

policy/modules/system/systemd.te

@@ -1,4 +1,4 @@
-policy_module(systemd, 1.3.16)
+policy_module(systemd, 1.3.17)
 
 #########################################
 #
@@ -342,16 +342,20 @@ allow systemd_logind_t systemd_sessions_var_run_t:fifo_file manage_fifo_file_per
 kernel_read_kernel_sysctls(systemd_logind_t)
 
 dev_getattr_dri_dev(systemd_logind_t)
+dev_getattr_generic_usb_dev(systemd_logind_t)
 dev_getattr_kvm_dev(systemd_logind_t)
 dev_getattr_sound_dev(systemd_logind_t)
+dev_getattr_video_dev(systemd_logind_t)
 dev_manage_wireless(systemd_logind_t)
 dev_read_urand(systemd_logind_t)
 dev_rw_dri(systemd_logind_t)
 dev_rw_input_dev(systemd_logind_t)
 dev_rw_sysfs(systemd_logind_t)
 dev_setattr_dri_dev(systemd_logind_t)
+dev_setattr_generic_usb_dev(systemd_logind_t)
 dev_setattr_kvm_dev(systemd_logind_t)
 dev_setattr_sound_dev(systemd_logind_t)
+dev_setattr_video_dev(systemd_logind_t)
 
 domain_obj_id_change_exemption(systemd_logind_t)
 
@@ -448,7 +452,7 @@ optional_policy(`
 # machined local policy
 #
 
-allow systemd_machined_t self:capability sys_ptrace;
+allow systemd_machined_t self:capability { setgid sys_chroot sys_ptrace };
 allow systemd_machined_t self:process setfscreate;
 allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms connect };
 
@@ -462,6 +466,7 @@ files_read_etc_files(systemd_machined_t)
 
 fs_getattr_cgroup(systemd_machined_t)
 fs_getattr_tmpfs(systemd_machined_t)
+fs_read_nsfs_files(systemd_machined_t)
 
 selinux_getattr_fs(systemd_machined_t)
 

policy/modules/system/udev.te

@@ -1,4 +1,4 @@
-policy_module(udev, 1.21.7)
+policy_module(udev, 1.21.8)
 
 ########################################
 #
@@ -57,6 +57,9 @@ allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow udev_t self:netlink_generic_socket create_socket_perms;
 allow udev_t self:rawip_socket create_socket_perms;
 
+# for systemd-udevd to rename interfaces
+allow udev_t self:netlink_route_socket nlmsg_write;
+
 allow udev_t udev_exec_t:file write;
 can_exec(udev_t, udev_exec_t)
 
@@ -78,6 +81,7 @@ manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
 manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
 manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
 files_pid_filetrans(udev_t, udev_var_run_t, dir, "udev")
+files_pid_filetrans(udev_t, udev_var_run_t, dir, "console-setup")
 
 kernel_load_module(udev_t)
 kernel_read_system_state(udev_t)
@@ -128,6 +132,7 @@ fs_getattr_all_fs(udev_t)
 fs_list_inotifyfs(udev_t)
 fs_read_cgroup_files(udev_t)
 fs_rw_anon_inodefs_files(udev_t)
+fs_search_tracefs(udev_t)
 
 mcs_ptrace_all(udev_t)
 
@@ -149,6 +154,7 @@ auth_domtrans_pam_console(udev_t)
 auth_use_nsswitch(udev_t)
 
 init_read_utmp(udev_t)
+init_domtrans_script(udev_t)
 # systemd-udevd searches /run/systemd
 init_search_run(udev_t)
 init_dontaudit_write_utmp(udev_t)
@@ -187,6 +193,9 @@ sysnet_etc_filetrans_config(udev_t)
 userdom_dontaudit_search_user_home_content(udev_t)
 
 ifdef(`distro_debian',`
+	# for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851933
+	files_read_default_files(udev_t)
+
 	files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug")
 
 	optional_policy(`
@@ -339,11 +348,17 @@ optional_policy(`
 	vbetool_domtrans(udev_t)
 ')
 
+optional_policy(`
+	# for systemd-udevd when starting xen domu
+	virt_read_config(udev_t)
+')
+
 optional_policy(`
 	kernel_write_xen_state(udev_t)
 	kernel_read_xen_state(udev_t)
 	xen_manage_log(udev_t)
 	xen_read_image_files(udev_t)
+	fs_manage_xenfs_files(udev_t)
 ')
 
 optional_policy(`