From 372f9cc658658952e64e8695496d3751d57db50d Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Thu, 11 Mar 2021 21:13:39 -0500
Subject: [PATCH 01/34] systemd, fail2ban: allow fail2ban to watch journal

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/fail2ban.te |  1 +
 policy/modules/system/systemd.if    | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
index d26d52256..30bc468df 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -125,6 +125,7 @@ optional_policy(`
 
 optional_policy(`
 	systemd_read_journal_files(fail2ban_t)
+	systemd_watch_journal_dirs(fail2ban_t)
 ')
 
 ########################################
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 38a026fd5..d54c73359 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -1235,6 +1235,24 @@ interface(`systemd_manage_journal_files',`
 	allow $1 systemd_journal_t:file map;
 ')
 
+########################################
+## <summary>
+##      Allow domain to add a watch on systemd_journal_t directories
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_watch_journal_dirs',`
+	gen_require(`
+		type systemd_journal_t;
+	')
+
+	allow $1 systemd_journal_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Relabel to systemd-journald directory type.

From 45dd9358e5c3bf9787fbfb01a40f11ebc0ae552a Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Thu, 11 Mar 2021 21:13:55 -0500
Subject: [PATCH 02/34] fail2ban: allow reading vm overcommit sysctl

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/fail2ban.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
index 30bc468df..e4d699e3b 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -63,6 +63,7 @@ manage_files_pattern(fail2ban_t, fail2ban_runtime_t, fail2ban_runtime_t)
 files_runtime_filetrans(fail2ban_t, fail2ban_runtime_t, file)
 
 kernel_read_system_state(fail2ban_t)
+kernel_read_vm_overcommit_sysctl(fail2ban_t)
 kernel_search_fs_sysctls(fail2ban_t)
 
 corecmd_exec_bin(fail2ban_t)

From fa5f878f13752d619914dc9c15576408066bdf31 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Thu, 11 Mar 2021 23:00:21 -0500
Subject: [PATCH 03/34] usbguard: various fixes

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/admin/usbguard.fc |  3 +++
 policy/modules/admin/usbguard.te | 15 +++++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/policy/modules/admin/usbguard.fc b/policy/modules/admin/usbguard.fc
index 00416afc3..bb03bd269 100644
--- a/policy/modules/admin/usbguard.fc
+++ b/policy/modules/admin/usbguard.fc
@@ -2,6 +2,9 @@
 /etc/usbguard/rules\.conf				gen_context(system_u:object_r:usbguard_rules_t,s0)
 /etc/usbguard/.+					gen_context(system_u:object_r:usbguard_conf_t,s0)
 
+/run/usbguard(/.*)?					gen_context(system_u:object_r:usbguard_runtime_t,s0)
+/run/usbguard\.pid					gen_context(system_u:object_r:usbguard_runtime_t,s0)
+
 /usr/sbin/usbguard-daemon			--	gen_context(system_u:object_r:usbguard_daemon_exec_t,s0)
 
 /var/log/usbguard(/.*)?					gen_context(system_u:object_r:usbguard_log_t,s0)
diff --git a/policy/modules/admin/usbguard.te b/policy/modules/admin/usbguard.te
index b3816c073..0b3c5ef48 100644
--- a/policy/modules/admin/usbguard.te
+++ b/policy/modules/admin/usbguard.te
@@ -27,6 +27,9 @@ logging_log_file(usbguard_log_t)
 type usbguard_rules_t;
 files_config_file(usbguard_rules_t)
 
+type usbguard_runtime_t;
+files_runtime_file(usbguard_runtime_t)
+
 # /dev/shm
 type usbguard_tmpfs_t;
 files_tmpfs_file(usbguard_tmpfs_t)
@@ -45,6 +48,10 @@ list_dirs_pattern(usbguard_t, usbguard_conf_t, usbguard_conf_t)
 read_files_pattern(usbguard_t, usbguard_conf_t, usbguard_conf_t)
 read_files_pattern(usbguard_t, usbguard_conf_t, usbguard_rules_t)
 
+manage_dirs_pattern(usbguard_t, usbguard_runtime_t, usbguard_runtime_t)
+manage_files_pattern(usbguard_t, usbguard_runtime_t, usbguard_runtime_t)
+files_runtime_filetrans(usbguard_t, usbguard_runtime_t, { dir file })
+
 manage_dirs_pattern(usbguard_t, usbguard_tmpfs_t, usbguard_tmpfs_t)
 manage_files_pattern(usbguard_t, usbguard_tmpfs_t, usbguard_tmpfs_t)
 mmap_read_files_pattern(usbguard_t, usbguard_tmpfs_t, usbguard_tmpfs_t)
@@ -57,6 +64,14 @@ setattr_files_pattern(usbguard_t, usbguard_log_t, usbguard_log_t)
 
 dev_rw_sysfs(usbguard_t)
 
+kernel_read_kernel_sysctls(usbguard_t)
+kernel_dontaudit_getattr_proc(usbguard_t)
+
+init_search_runtime(usbguard_t)
+
+logging_send_audit_msgs(usbguard_t)
+logging_send_syslog_msg(usbguard_t)
+
 tunable_policy(`usbguard_user_modify_rule_files',`
 	manage_files_pattern(usbguard_t, usbguard_conf_t, usbguard_rules_t)
 ')

From 00e210d703e9541898959886b1e2cd3ca2a805a9 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Thu, 11 Mar 2021 21:17:00 -0500
Subject: [PATCH 04/34] redis: allow reading certs

Required if redis is to be used with SSL/TLS

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/redis.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/redis.te b/policy/modules/services/redis.te
index b6a68566c..a53c9b329 100644
--- a/policy/modules/services/redis.te
+++ b/policy/modules/services/redis.te
@@ -66,6 +66,7 @@ dev_read_urand(redis_t)
 
 logging_send_syslog_msg(redis_t)
 
+miscfiles_read_generic_certs(redis_t)
 miscfiles_read_localization(redis_t)
 
 sysnet_dns_name_resolve(redis_t)

From 173d2a2bd03acb9689ed7889d8fd3f95e6be32f3 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Thu, 11 Mar 2021 21:17:50 -0500
Subject: [PATCH 05/34] rngd: allow reading sysfs

rngd tries to read the rng state at boot.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/rngd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/rngd.te b/policy/modules/services/rngd.te
index 4540e4ec7..5763e988d 100644
--- a/policy/modules/services/rngd.te
+++ b/policy/modules/services/rngd.te
@@ -32,6 +32,7 @@ kernel_rw_kernel_sysctl(rngd_t)
 
 dev_read_rand(rngd_t)
 dev_read_urand(rngd_t)
+dev_read_sysfs(rngd_t)
 dev_rw_tpm(rngd_t)
 dev_write_rand(rngd_t)
 

From 6371411e508f2e93462b811bc50e7abd770de7e7 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Thu, 11 Mar 2021 21:19:04 -0500
Subject: [PATCH 06/34] getty: various fixes

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/getty.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index 95b1ec632..599a8e9d5 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -55,6 +55,7 @@ allow getty_t getty_tmp_t:file manage_file_perms;
 allow getty_t getty_tmp_t:dir manage_dir_perms;
 files_tmp_filetrans(getty_t, getty_tmp_t, { file dir })
 
+kernel_read_kernel_sysctls(getty_t)
 kernel_read_system_state(getty_t)
 
 # these two needed for receiving faxes
@@ -66,6 +67,7 @@ dev_read_sysfs(getty_t)
 files_read_etc_runtime_files(getty_t)
 files_read_etc_files(getty_t)
 files_search_spool(getty_t)
+files_dontaudit_search_var_lib(getty_t)
 
 fs_search_auto_mountpoints(getty_t)
 # for error condition handling
@@ -84,6 +86,7 @@ term_setattr_unallocated_ttys(getty_t)
 term_setattr_console(getty_t)
 
 auth_rw_login_records(getty_t)
+auth_use_nsswitch(getty_t)
 
 init_rw_utmp(getty_t)
 

From f137b5cdccff1aad805233df5af35b536a873409 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Thu, 11 Mar 2021 22:58:10 -0500
Subject: [PATCH 07/34] modutils: allow kmod to read src_t symlinks

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/modutils.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index ef5de835e..59648d3bf 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -88,6 +88,7 @@ files_read_kernel_symbol_table(kmod_t)
 files_read_etc_runtime_files(kmod_t)
 files_read_etc_files(kmod_t)
 files_read_usr_files(kmod_t)
+files_read_usr_src_files(kmod_t)
 files_exec_etc_files(kmod_t)
 files_search_tmp(kmod_t)
 # for nscd:

From d91bef2d2403d63b22568a524f4e074e5bd47eda Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Thu, 11 Mar 2021 23:01:38 -0500
Subject: [PATCH 08/34] devices, userdomain: dontaudit userdomain setattr on
 null device nodes

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/kernel/devices.if    | 19 +++++++++++++++++++
 policy/modules/system/userdomain.if |  1 +
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index c0578a517..35533ccd3 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -3391,6 +3391,25 @@ interface(`dev_setattr_null_dev',`
 	setattr_chr_files_pattern($1, device_t, null_device_t)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to set the attributes of
+##	the null device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_null_dev',`
+	gen_require(`
+		type null_device_t;
+	')
+
+	dontaudit $1 null_device_t:chr_file setattr;
+')
+
 ########################################
 ## <summary>
 ##	Delete the null device (/dev/null).
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 958ccd521..d9c376d81 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -78,6 +78,7 @@ template(`userdom_base_user_template',`
 
 	dev_dontaudit_getattr_all_blk_files($1_t)
 	dev_dontaudit_getattr_all_chr_files($1_t)
+	dev_dontaudit_setattr_null_dev($1_t)
 
 	# for X session unlock
 	allow $1_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };

From 9051a096171a4350472b724063bd912d5273fe4a Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Thu, 11 Mar 2021 23:02:09 -0500
Subject: [PATCH 09/34] spamassassin: allow rspamd to read network sysctls

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/spamassassin.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index 229d1f5d1..cb95a77a2 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -417,6 +417,8 @@ tunable_policy(`rspamd_spamd',`
 
 	corenet_tcp_connect_http_port(spamd_t)
 	corenet_tcp_connect_redis_port(spamd_t)
+
+	kernel_read_network_state(spamd_t)
 ')
 
 tunable_policy(`use_nfs_home_dirs',`

From 02b9bf0a1c1e2c545a442a5abe7adc077407d376 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Thu, 11 Mar 2021 23:02:31 -0500
Subject: [PATCH 10/34] redis: allow reading net and vm overcommit sysctls

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/redis.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/redis.te b/policy/modules/services/redis.te
index a53c9b329..339eb19dd 100644
--- a/policy/modules/services/redis.te
+++ b/policy/modules/services/redis.te
@@ -50,7 +50,9 @@ manage_dirs_pattern(redis_t, redis_runtime_t, redis_runtime_t)
 manage_files_pattern(redis_t, redis_runtime_t, redis_runtime_t)
 manage_lnk_files_pattern(redis_t, redis_runtime_t, redis_runtime_t)
 
+kernel_read_net_sysctls(redis_t)
 kernel_read_system_state(redis_t)
+kernel_read_vm_overcommit_sysctl(redis_t)
 
 corenet_all_recvfrom_netlabel(redis_t)
 corenet_tcp_sendrecv_generic_if(redis_t)

From dac8c8af271faead8076b3fc7a1b2e5788f2f435 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Thu, 11 Mar 2021 23:01:38 -0500
Subject: [PATCH 11/34] devices, userdomain: dontaudit userdomain setattr on
 null device nodes

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/kernel/devices.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 35533ccd3..7dd0a5771 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -3398,7 +3398,7 @@ interface(`dev_setattr_null_dev',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #

From 497cb3ca2be74e58c891f8339f5b4d7563288b5f Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Thu, 11 Mar 2021 23:03:10 -0500
Subject: [PATCH 12/34] files, init, systemd: various fixes

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/kernel/files.if   | 18 ++++++++++++++++++
 policy/modules/system/init.te    | 11 ++++++++++-
 policy/modules/system/systemd.if | 20 ++++++++++++++++++++
 policy/modules/system/systemd.te |  3 +++
 4 files changed, 51 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 34a9cd66d..f60508620 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -4643,6 +4643,24 @@ interface(`files_manage_generic_tmp_dirs',`
 	manage_dirs_pattern($1, tmp_t, tmp_t)
 ')
 
+########################################
+## <summary>
+##	Relabel temporary directories in /tmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabel_generic_tmp_dirs',`
+	gen_require(`
+		type tmp_t;
+	')
+
+	relabel_dirs_pattern($1, tmp_t, tmp_t)
+')
+
 ########################################
 ## <summary>
 ##	Manage temporary files and directories in /tmp.
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 34d20f2d7..7394f77dd 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -267,7 +267,7 @@ ifdef(`init_systemd',`
 
 	# setexec and setkeycreate for systemd --user
 	allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setexec setkeycreate setcap setrlimit };
-	allow init_t self:capability2 { audit_read block_suspend };
+	allow init_t self:capability2 { audit_read block_suspend bpf perfmon };
 	allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
 	allow init_t self:unix_dgram_socket lock;
 
@@ -294,6 +294,11 @@ ifdef(`init_systemd',`
 	# /memfd:systemd-state
 	fs_tmpfs_filetrans(init_t, init_runtime_t, file)
 
+	# mounton is required for systemd-timesyncd
+	allow init_t init_var_lib_t:dir { manage_dir_perms mounton };
+	allow init_t init_var_lib_t:file manage_file_perms;
+	allow init_t init_var_lib_t:lnk_file manage_lnk_file_perms;
+
 	manage_files_pattern(init_t, systemd_unit_t, systemdunit)
 
 	manage_dirs_pattern(init_t, systemd_unit_t, systemd_unit_t)
@@ -307,6 +312,8 @@ ifdef(`init_systemd',`
 	kernel_read_fs_sysctls(init_t)
 	kernel_list_unlabeled(init_t)
 	kernel_load_module(init_t)
+	kernel_request_load_module(init_t)
+	kernel_rw_fs_sysctls(init_t)
 	kernel_rw_kernel_sysctl(init_t)
 	kernel_rw_net_sysctls(init_t)
 	kernel_read_all_sysctls(init_t)
@@ -390,6 +397,8 @@ ifdef(`init_systemd',`
 	files_list_spool(init_t)
 	files_manage_all_runtime_dirs(init_t)
 	files_manage_generic_tmp_dirs(init_t)
+	files_relabel_generic_tmp_dirs(init_t)
+	files_mounton_tmp(init_t)
 	files_manage_urandom_seed(init_t)
 	files_read_boot_files(initrc_t)
 	files_relabel_all_lock_dirs(init_t)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index d54c73359..8462a1420 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -164,6 +164,8 @@ template(`systemd_role_template',`
 	systemd_status_user_runtime_units($3)
 	systemd_stop_user_runtime_units($3)
 
+	systemd_watch_passwd_runtime_dirs($3)
+
 	optional_policy(`
 		xdg_config_filetrans($1_systemd_t, systemd_conf_home_t, dir, "systemd")
 		xdg_data_filetrans($1_systemd_t, systemd_data_home_t, dir, "systemd")
@@ -1163,6 +1165,24 @@ interface(`systemd_manage_passwd_runtime_symlinks',`
 	allow $1 systemd_passwd_runtime_t:lnk_file manage_lnk_file_perms;
 ')
 
+########################################
+## <summary>
+##   Allow a domain to watch systemd-passwd runtime dirs.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_watch_passwd_runtime_dirs',`
+	gen_require(`
+		type systemd_passwd_runtime_t;
+	')
+
+	allow $1 systemd_passwd_runtime_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##      manage systemd unit dirs and the files in them  (Deprecated)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index f5b5b07a7..58e394875 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -432,6 +432,7 @@ allow systemd_generator_t self:fifo_file rw_fifo_file_perms;
 allow systemd_generator_t self:capability dac_override;
 allow systemd_generator_t self:process setfscreate;
 
+corecmd_exec_shell(systemd_generator_t)
 corecmd_getattr_bin_files(systemd_generator_t)
 
 dev_read_sysfs(systemd_generator_t)
@@ -446,6 +447,7 @@ files_search_all_mountpoints(systemd_generator_t)
 files_list_usr(systemd_generator_t)
 
 fs_list_efivars(systemd_generator_t)
+fs_getattr_cgroup(systemd_generator_t)
 fs_getattr_xattr_fs(systemd_generator_t)
 
 init_create_runtime_files(systemd_generator_t)
@@ -464,6 +466,7 @@ init_read_script_files(systemd_generator_t)
 kernel_use_fds(systemd_generator_t)
 kernel_read_system_state(systemd_generator_t)
 kernel_read_kernel_sysctls(systemd_generator_t)
+kernel_dontaudit_getattr_proc(systemd_generator_t)
 
 storage_raw_read_fixed_disk(systemd_generator_t)
 

From 342eefd3b0dd0b28a075806fa9813068ccb2130e Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sun, 27 Dec 2020 15:16:38 -0500
Subject: [PATCH 13/34] ssh: allow ssh_keygen_t to read localization

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/ssh.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 238c45ed8..866108ffd 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -354,6 +354,8 @@ auth_use_nsswitch(ssh_keygen_t)
 
 logging_send_syslog_msg(ssh_keygen_t)
 
+miscfiles_read_localization(ssh_keygen_t)
+
 userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
 
 optional_policy(`

From a6df5e653c35350ab0c38b7f4ed4bb9b36a6acdf Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sun, 27 Dec 2020 20:17:50 -0500
Subject: [PATCH 14/34] devicekit: allow devicekit_disk_t to setsched

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/devicekit.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index bb17854bc..a41a75961 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -67,7 +67,7 @@ optional_policy(`
 
 allow devicekit_disk_t self:capability { chown dac_override fowner fsetid net_admin setgid setuid sys_admin sys_nice sys_ptrace sys_rawio };
 allow devicekit_disk_t self:capability2 wake_alarm;
-allow devicekit_disk_t self:process { getsched signal_perms };
+allow devicekit_disk_t self:process { getsched setsched signal_perms };
 allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
 allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
 

From c46bbef5f74835515939264c9e1d6f74412663c1 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Fri, 12 Mar 2021 20:29:05 -0500
Subject: [PATCH 15/34] udev: various fixes

Mostly mdraid stuff and a few dontaudits.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/udev.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 4a2283b6c..3567f072c 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -124,6 +124,9 @@ files_mmap_read_kernel_modules(udev_t)
 files_exec_etc_files(udev_t)
 files_getattr_generic_locks(udev_t)
 files_search_mnt(udev_t)
+files_dontaudit_getattr_default_files(udev_t)
+files_dontaudit_getattr_lost_found_dirs(udev_t)
+files_dontaudit_getattr_tmp_dirs(udev_t)
 
 fs_getattr_all_fs(udev_t)
 fs_list_inotifyfs(udev_t)
@@ -145,6 +148,7 @@ selinux_compute_access_vector(udev_t)
 selinux_compute_create_context(udev_t)
 selinux_compute_relabel_context(udev_t)
 selinux_compute_user_contexts(udev_t)
+selinux_use_status_page(udev_t)
 
 storage_watch_fixed_disk(udev_t)
 
@@ -329,6 +333,7 @@ optional_policy(`
 
 optional_policy(`
 	raid_domtrans_mdadm(udev_t)
+	raid_read_mdadm_runtime_files(udev_t)
 ')
 
 optional_policy(`

From 7ca9dcea1f278d05526bf7b1681c6e1b1134a358 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Thu, 11 Mar 2021 21:20:40 -0500
Subject: [PATCH 16/34] init: modify interface to allow reading all pipes

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/init.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index fecbb2f52..1ad229679 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -2544,7 +2544,7 @@ interface(`init_rw_script_pipes',`
 		type initrc_t;
 	')
 
-	allow $1 initrc_t:fifo_file rw_inherited_fifo_file_perms;
+	allow $1 initrc_t:fifo_file rw_fifo_file_perms;
 ')
 
 ########################################

From a1a9c33e880d7cbf80eb41750248636096a75b45 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Thu, 11 Mar 2021 21:21:26 -0500
Subject: [PATCH 17/34] iptables: allow reading initrc pipes

The systemd service calls a script which reads the saved rules from a
file piped to stdin.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/iptables.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 255b44df8..84d413c2a 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -86,6 +86,7 @@ auth_use_nsswitch(iptables_t)
 init_use_fds(iptables_t)
 init_use_script_ptys(iptables_t)
 # to allow rules to be saved on reboot:
+init_rw_script_pipes(iptables_t)
 init_rw_script_tmp_files(iptables_t)
 init_rw_script_stream_sockets(iptables_t)
 

From 7f1a7b1cacd5d211077ce62fbb4e91890e65c820 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Fri, 12 Mar 2021 21:15:45 -0500
Subject: [PATCH 18/34] wireguard: allow running iptables

Wireguard can be configured to run iptables and other such networking
tools when bringing up/down interfaces. Also add a dontaudit for
searching kernel sysctls.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/wireguard.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/services/wireguard.te b/policy/modules/services/wireguard.te
index 5eb991051..c25d3c681 100644
--- a/policy/modules/services/wireguard.te
+++ b/policy/modules/services/wireguard.te
@@ -61,8 +61,13 @@ corecmd_exec_shell(wireguard_t)
 
 domain_use_interactive_fds(wireguard_t)
 
+# wg-quick can be configured to run iptables and other networking
+# config tools when bringing up/down the wg interfaces
+iptables_domtrans(wireguard_t)
+
 # wg-quick tries to read /proc/filesystem when running "stat" and "mv" commands
 kernel_dontaudit_read_system_state(wireguard_t)
+kernel_dontaudit_search_kernel_sysctl(wireguard_t)
 
 miscfiles_read_localization(wireguard_t)
 

From 1c552ec38fa31cc10915de461aa75b2deef5d575 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sun, 14 Mar 2021 16:50:23 -0400
Subject: [PATCH 19/34] bootloader, filesystem: various fixes for grub

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/admin/bootloader.te  |  3 +++
 policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index 6e6d758d0..5eef8960b 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -67,6 +67,7 @@ kernel_read_software_raid_state(bootloader_t)
 kernel_read_kernel_sysctls(bootloader_t)
 kernel_search_debugfs(bootloader_t)
 kernel_setsched(bootloader_t)
+kernel_dontaudit_getattr_proc(bootloader_t)
 # for grub-probe
 kernel_request_load_module(bootloader_t)
 
@@ -90,6 +91,7 @@ fs_getattr_dos_fs(bootloader_t)
 fs_getattr_tmpfs(bootloader_t)
 fs_read_tmpfs_symlinks(bootloader_t)
 #Needed for EFI
+fs_getattr_efivarfs(bootloader_t)
 fs_manage_dos_files(bootloader_t)
 fs_mmap_read_dos_files(bootloader_t)
 
@@ -153,6 +155,7 @@ miscfiles_read_localization(bootloader_t)
 mount_rw_runtime_files(bootloader_t)
 
 selinux_getattr_fs(bootloader_t)
+selinux_use_status_page(bootloader_t)
 seutil_read_bin_policy(bootloader_t)
 seutil_read_file_contexts(bootloader_t)
 seutil_read_loadpolicy(bootloader_t)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index e0a7e4bc7..0047ea89e 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -2155,6 +2155,24 @@ interface(`fs_manage_dos_files',`
 	manage_files_pattern($1, dosfs_t, dosfs_t)
 ')
 
+########################################
+## <summary>
+##	Get the attributes of efivarfs filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_efivarfs',`
+	gen_require(`
+		type efivarfs_t;
+	')
+
+	allow $1 efivarfs_t:filesystem getattr;
+')
+
 ########################################
 ## <summary>
 ##	List dirs in efivarfs filesystem.

From c56b78f0c84eb55a5f148b061596590d84b64a75 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sun, 14 Mar 2021 16:51:40 -0400
Subject: [PATCH 20/34] mount: allow getattr on dos filesystems

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/mount.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 5817e1a92..79591956d 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -103,6 +103,7 @@ fs_getattr_tmpfs(mount_t)
 fs_getattr_rpc_pipefs(mount_t)
 fs_getattr_cifs(mount_t)
 fs_getattr_nfs(mount_t)
+fs_getattr_dos_fs(mount_t)
 fs_mount_all_fs(mount_t)
 fs_unmount_all_fs(mount_t)
 fs_remount_all_fs(mount_t)

From 2166acf355faf72a8cc3f5b1557d424b4a434b63 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sat, 13 Mar 2021 21:31:27 -0500
Subject: [PATCH 21/34] init, mount: allow systemd to watch utab

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/init.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 7394f77dd..d313d70c8 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -446,7 +446,11 @@ ifdef(`init_systemd',`
 
 	miscfiles_watch_localization(init_t)
 
+	# systemd watches utab in order to mount the
+	# local filesystem at boot
 	mount_watch_runtime_dirs(init_t)
+	mount_watch_runtime_files(init_t)
+	mount_watch_reads_runtime_files(init_t)
 
 	# systemd_socket_activated policy
 	mls_socket_write_all_levels(init_t)

From 7b8c44ab9bc0fafa072a8faf901bffc9a8465380 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Thu, 11 Mar 2021 21:14:52 -0500
Subject: [PATCH 22/34] init, systemd: allow logind to watch utmp

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/init.if    | 18 ++++++++++++++++++
 policy/modules/system/systemd.te |  1 +
 2 files changed, 19 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 1ad229679..56b9e744a 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -3009,6 +3009,24 @@ interface(`init_manage_utmp',`
 	allow $1 initrc_runtime_t:file manage_file_perms;
 ')
 
+########################################
+## <summary>
+##	Add a watch on utmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_watch_utmp',`
+	gen_require(`
+		type initrc_runtime_t;
+	')
+
+	allow $1 initrc_runtime_t:file watch;
+')
+
 ########################################
 ## <summary>
 ##	Relabel utmp.
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 58e394875..9c84efbb4 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -663,6 +663,7 @@ init_dbus_send_script(systemd_logind_t)
 init_get_all_units_status(systemd_logind_t)
 init_get_system_status(systemd_logind_t)
 init_read_utmp(systemd_logind_t)
+init_watch_utmp(systemd_logind_t)
 init_service_start(systemd_logind_t)
 init_service_status(systemd_logind_t)
 init_start_all_units(systemd_logind_t)

From b3c1dba1448b8afc0f13f013b5c309a78d47cbc6 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Thu, 11 Mar 2021 21:22:14 -0500
Subject: [PATCH 23/34] logging: allow auditd to use nsswitch

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/logging.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index df474a634..9efd7b819 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -196,6 +196,8 @@ domain_use_interactive_fds(auditd_t)
 files_read_etc_files(auditd_t)
 files_list_usr(auditd_t)
 
+auth_use_nsswitch(auditd_t)
+
 init_telinit(auditd_t)
 
 logging_set_audit_parameters(auditd_t)

From a838a8871709ed389f63f09a857f9a7e49211786 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sat, 27 Mar 2021 18:28:25 -0400
Subject: [PATCH 24/34] logging: allow auditd to getattr on audisp-remote
 binary

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/logging.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 9efd7b819..86f69b236 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -166,6 +166,10 @@ manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)
 manage_sock_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)
 files_runtime_filetrans(auditd_t, auditd_runtime_t, { file sock_file })
 
+# Needs to be able to getattr on the audisp-remote binary to verify
+# the plugin configuration.
+allow auditd_t audisp_remote_exec_t:file getattr;
+
 kernel_read_kernel_sysctls(auditd_t)
 # Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
 # Probably want a transition, and a new auditd_helper app

From 403c4c3470cae2c767ba7809780cd857b1a35798 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Thu, 11 Mar 2021 21:20:02 -0500
Subject: [PATCH 25/34] systemd: allow systemd-resolved to manage its own sock
 files

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/systemd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 9c84efbb4..1c0356c95 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1184,6 +1184,7 @@ allow systemd_resolved_t systemd_networkd_runtime_t:dir watch;
 
 manage_dirs_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
 manage_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
+manage_sock_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
 init_runtime_filetrans(systemd_resolved_t, systemd_resolved_runtime_t, dir)
 
 dev_read_sysfs(systemd_resolved_t)

From dbecb3546dd40545a6e3e49ffec9eba8d63b233c Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Fri, 12 Mar 2021 20:32:16 -0500
Subject: [PATCH 26/34] systemd: add policy for systemd-sysctl

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/systemd.fc |  1 +
 policy/modules/system/systemd.te | 19 +++++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index c19259f73..34db8c034 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -39,6 +39,7 @@
 /usr/lib/systemd/systemd-resolved	--	gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
 /usr/lib/systemd/systemd-rfkill		--	gen_context(system_u:object_r:systemd_rfkill_exec_t,s0)
 /usr/lib/systemd/systemd-socket-proxyd	--	gen_context(system_u:object_r:systemd_socket_proxyd_exec_t,s0)
+/usr/lib/systemd/systemd-sysctl		--	gen_context(system_u:object_r:systemd_sysctl_exec_t,s0)
 /usr/lib/systemd/systemd-update-done	--	gen_context(system_u:object_r:systemd_update_done_exec_t,s0)
 /usr/lib/systemd/systemd-user-runtime-dir	--	gen_context(system_u:object_r:systemd_user_runtime_dir_exec_t,s0)
 /usr/lib/systemd/systemd-user-sessions	--	gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 1c0356c95..814df1a91 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -260,6 +260,10 @@ corenet_port(systemd_socket_proxyd_port_t)
 type systemd_socket_proxyd_unit_file_t;
 init_unit_file(systemd_socket_proxyd_unit_file_t)
 
+type systemd_sysctl_t;
+type systemd_sysctl_exec_t;
+init_daemon_domain(systemd_sysctl_t, systemd_sysctl_exec_t)
+
 type systemd_sysusers_t;
 type systemd_sysusers_exec_t;
 init_system_domain(systemd_sysusers_t, systemd_sysusers_exec_t)
@@ -1269,6 +1273,21 @@ seutil_read_file_contexts(systemd_sessions_t)
 
 systemd_log_parse_environment(systemd_sessions_t)
 
+########################################
+#
+# sysctl local policy
+#
+
+dontaudit systemd_sysctl_t self:capability sys_ptrace;
+
+kernel_read_kernel_sysctls(systemd_sysctl_t)
+kernel_request_load_module(systemd_sysctl_t)
+kernel_rw_all_sysctls(systemd_sysctl_t)
+kernel_dontaudit_getattr_proc(systemd_sysctl_t)
+
+files_read_etc_files(systemd_sysctl_t)
+
+systemd_log_parse_environment(systemd_sysctl_t)
 
 #########################################
 #

From 42d46c14bcc85433e60fa5225500cca15449dcd2 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sat, 13 Mar 2021 19:59:42 -0500
Subject: [PATCH 27/34] init, udev: various fixes for systemd

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/init.te |  5 +++++
 policy/modules/system/udev.if | 40 +++++++++++++++++++++++++++++++++++
 2 files changed, 45 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index d313d70c8..f87be1877 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -251,6 +251,7 @@ ifdef(`init_systemd',`
 	allow init_t self:capability2 audit_read;
 	allow init_t self:key { search setattr write };
 	allow init_t self:bpf { map_create map_read map_write prog_load prog_run };
+	dontaudit init_t self:process { dyntransition setcurrent };
 
 	allow init_t init_mountpoint_type:dir_file_class_set { getattr mounton };
 
@@ -430,6 +431,7 @@ ifdef(`init_systemd',`
 	fs_relabel_tmpfs_blk_files(init_t)
 	fs_relabel_tmpfs_chr_files(init_t)
 	fs_relabel_tmpfs_fifo_files(init_t)
+	fs_read_efivarfs_files(init_t)
 	# for privatetmp functions
 	fs_relabel_tmpfs_dirs(init_t)
 	fs_relabel_tmpfs_files(init_t)
@@ -508,6 +510,9 @@ ifdef(`init_systemd',`
 	# for systemd to read udev status
 	udev_read_runtime_files(init_t)
 
+	udev_relabel_rules_dirs(init_t)
+	udev_relabel_rules_files(init_t)
+
 	userdom_relabel_user_runtime_root_dirs(init_t)
 
 	tunable_policy(`init_mounton_non_security',`
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 538f28514..f02b73edd 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -202,6 +202,46 @@ interface(`udev_manage_rules_files',`
 	udev_search_runtime($1)
 ')
 
+########################################
+## <summary>
+##	Relabel udev rules directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_relabel_rules_dirs',`
+	gen_require(`
+		type udev_rules_t;
+	')
+
+	relabel_dirs_pattern($1, udev_rules_t, udev_rules_t)
+
+	files_search_etc($1)
+')
+
+########################################
+## <summary>
+##	Relabel udev rules files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_relabel_rules_files',`
+	gen_require(`
+		type udev_rules_t;
+	')
+
+	relabel_files_pattern($1, udev_rules_t, udev_rules_t)
+
+	files_search_etc($1)
+')
+
 ########################################
 ## <summary>
 ##	Do not audit search of udev database directories.  (Deprecated)

From 95dc0f0de330d11a19bb6390601e4e3797313c35 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sun, 14 Mar 2021 13:49:00 -0400
Subject: [PATCH 28/34] udev: allow systemd-vconsole-setup to sys_tty_config

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/udev.te | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 3567f072c..98d64ec38 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -41,7 +41,6 @@ ifdef(`enable_mcs',`
 #
 
 allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_ptrace sys_rawio sys_resource };
-dontaudit udev_t self:capability sys_tty_config;
 allow udev_t self:capability2 { wake_alarm block_suspend };
 allow udev_t self:process { transition signal_perms ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit };
 allow udev_t self:fd use;
@@ -58,6 +57,13 @@ allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow udev_t self:netlink_generic_socket create_socket_perms;
 allow udev_t self:rawip_socket create_socket_perms;
 
+ifdef(`init_systemd',`
+	# systemd-vconsole-setup will be called by udev during virtual terminal initialization
+	allow udev_t self:capability sys_tty_config;
+',`
+	dontaudit udev_t self:capability sys_tty_config;
+')
+
 # for systemd-udevd to rename interfaces
 allow udev_t self:netlink_route_socket nlmsg_write;
 

From 69b2259c7ddedbd4d19279f62aa638dbbb923c47 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Fri, 12 Mar 2021 20:31:12 -0500
Subject: [PATCH 29/34] various: several dontaudits

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/admin/sudo.if        |  3 +++
 policy/modules/services/ssh.te      |  1 +
 policy/modules/system/init.te       |  1 +
 policy/modules/system/logging.te    |  1 +
 policy/modules/system/systemd.te    |  9 +++++++++
 policy/modules/system/udev.te       |  2 ++
 policy/modules/system/userdomain.if | 19 +++++++++++++++++++
 7 files changed, 36 insertions(+)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index f8da0d878..adca75133 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -66,6 +66,7 @@ template(`sudo_role_template',`
 	allow $1_sudo_t self:unix_dgram_socket sendto;
 	allow $1_sudo_t self:unix_stream_socket connectto;
 	allow $1_sudo_t self:key manage_key_perms;
+	dontaudit $1_sudo_t self:capability { dac_read_search sys_ptrace };
 
 	allow $1_sudo_t $3:key search;
 
@@ -85,6 +86,7 @@ template(`sudo_role_template',`
 	kernel_read_kernel_sysctls($1_sudo_t)
 	kernel_read_system_state($1_sudo_t)
 	kernel_link_key($1_sudo_t)
+	kernel_dontaudit_getattr_proc($1_sudo_t)
 
 	corecmd_exec_all_executables($1_sudo_t)
 
@@ -142,6 +144,7 @@ template(`sudo_role_template',`
 	userdom_manage_user_tmp_symlinks($1_sudo_t)
 	userdom_setattr_user_ptys($1_sudo_t)
 	userdom_use_user_terminals($1_sudo_t)
+	userdom_dontaudit_rw_user_tmp_pipes($1_sudo_t)
 	# for some PAM modules and for cwd
 	userdom_dontaudit_search_user_home_content($1_sudo_t)
 	userdom_dontaudit_search_user_home_dirs($1_sudo_t)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 866108ffd..d4ef9c3cc 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -334,6 +334,7 @@ allow ssh_keygen_t sshd_key_t:file manage_file_perms;
 files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
 
 kernel_read_kernel_sysctls(ssh_keygen_t)
+kernel_dontaudit_getattr_proc(ssh_keygen_t)
 
 fs_search_auto_mountpoints(ssh_keygen_t)
 
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index f87be1877..32b48ec53 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -408,6 +408,7 @@ ifdef(`init_systemd',`
 	# If /etc/localtime is missing, a watch on /etc is added.
 	files_watch_etc_dirs(init_t)
 	files_watch_etc_symlinks(init_t)
+	files_dontaudit_write_var_dirs(init_t)
 
 	fs_relabel_cgroup_dirs(init_t)
 	fs_list_auto_mountpoints(init_t)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 86f69b236..d9063742d 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -114,6 +114,7 @@ files_getattr_all_dirs(auditctl_t)
 files_getattr_all_files(auditctl_t)
 files_read_etc_files(auditctl_t)
 
+kernel_dontaudit_getattr_proc(auditctl_t)
 kernel_read_kernel_sysctls(auditctl_t)
 kernel_read_proc_symlinks(auditctl_t)
 kernel_setsched(auditctl_t)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 814df1a91..83f886344 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -336,6 +336,8 @@ systemd_log_parse_environment(systemd_backlight_t)
 # Allow systemd-backlight to write to /sys/class/backlight/*/brightness
 dev_rw_sysfs(systemd_backlight_t)
 
+kernel_dontaudit_search_kernel_sysctl(systemd_backlight_t)
+
 # for udev.conf
 files_read_etc_files(systemd_backlight_t)
 
@@ -501,6 +503,7 @@ optional_policy(`
 allow systemd_hostnamed_t self:capability sys_admin;
 
 kernel_read_kernel_sysctls(systemd_hostnamed_t)
+kernel_dontaudit_getattr_proc(systemd_hostnamed_t)
 
 dev_read_sysfs(systemd_hostnamed_t)
 
@@ -617,6 +620,7 @@ allow systemd_logind_t systemd_sessions_runtime_t:dir manage_dir_perms;
 allow systemd_logind_t systemd_sessions_runtime_t:file manage_file_perms;
 allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_perms;
 
+kernel_dontaudit_getattr_proc(systemd_logind_t)
 kernel_read_kernel_sysctls(systemd_logind_t)
 
 dev_getattr_dri_dev(systemd_logind_t)
@@ -822,6 +826,7 @@ optional_policy(`
 kernel_load_module(systemd_modules_load_t)
 kernel_read_kernel_sysctls(systemd_modules_load_t)
 kernel_request_load_module(systemd_modules_load_t)
+kernel_dontaudit_getattr_proc(systemd_modules_load_t)
 
 dev_read_sysfs(systemd_modules_load_t)
 
@@ -858,6 +863,7 @@ kernel_read_kernel_sysctls(systemd_networkd_t)
 kernel_read_network_state(systemd_networkd_t)
 kernel_request_load_module(systemd_networkd_t)
 kernel_rw_net_sysctls(systemd_networkd_t)
+kernel_dontaudit_getattr_proc(systemd_networkd_t)
 
 corecmd_bin_entry_type(systemd_networkd_t)
 corecmd_exec_bin(systemd_networkd_t)
@@ -1196,6 +1202,7 @@ dev_read_sysfs(systemd_resolved_t)
 kernel_read_crypto_sysctls(systemd_resolved_t)
 kernel_read_kernel_sysctls(systemd_resolved_t)
 kernel_read_net_sysctls(systemd_resolved_t)
+kernel_dontaudit_getattr_proc(systemd_resolved_t)
 
 corenet_tcp_bind_generic_node(systemd_resolved_t)
 corenet_tcp_bind_dns_port(systemd_resolved_t)
@@ -1263,6 +1270,7 @@ allow systemd_sessions_t systemd_sessions_runtime_t:file manage_file_perms;
 files_runtime_filetrans(systemd_sessions_t, systemd_sessions_runtime_t, file)
 
 kernel_read_kernel_sysctls(systemd_sessions_t)
+kernel_dontaudit_getattr_proc(systemd_sessions_t)
 
 selinux_get_fs_mount(systemd_sessions_t)
 selinux_use_status_page(systemd_sessions_t)
@@ -1581,6 +1589,7 @@ fs_unmount_tmpfs(systemd_user_runtime_dir_t)
 fs_relabelfrom_tmpfs_dirs(systemd_user_runtime_dir_t)
 
 kernel_read_kernel_sysctls(systemd_user_runtime_dir_t)
+kernel_dontaudit_getattr_proc(systemd_user_runtime_dir_t)
 
 selinux_use_status_page(systemd_user_runtime_dir_t)
 
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 98d64ec38..d22524c81 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -131,6 +131,7 @@ files_exec_etc_files(udev_t)
 files_getattr_generic_locks(udev_t)
 files_search_mnt(udev_t)
 files_dontaudit_getattr_default_files(udev_t)
+files_dontaudit_getattr_home_dir(udev_t)
 files_dontaudit_getattr_lost_found_dirs(udev_t)
 files_dontaudit_getattr_tmp_dirs(udev_t)
 
@@ -199,6 +200,7 @@ sysnet_signal_dhcpc(udev_t)
 sysnet_manage_config(udev_t)
 sysnet_etc_filetrans_config(udev_t)
 
+userdom_dontaudit_getattr_user_home_dirs(udev_t)
 userdom_dontaudit_search_user_home_content(udev_t)
 
 ifdef(`distro_debian',`
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index d9c376d81..978c1b875 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -3105,6 +3105,25 @@ interface(`userdom_manage_user_tmp_pipes',`
 	userdom_search_user_runtime($1)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to read and write
+##	temporary pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_rw_user_tmp_pipes',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	dontaudit $1 user_tmp_t:fifo_file rw_fifo_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete user

From 8eff2c5998bfe662cf0e4da0381316066c0dd97e Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Wed, 7 Apr 2021 12:55:38 -0400
Subject: [PATCH 30/34] sysadm, systemd: various fixes

Allow sysadm to communicate with logind over dbus and add missing rules
for systemd-logind.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/roles/sysadm.te   | 4 ++++
 policy/modules/system/systemd.te | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 5aaec991d..a3447e7b0 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -81,6 +81,10 @@ ifdef(`init_systemd',`
 	# Allow sysadm to resolve the username of dynamic users by calling
 	# LookupDynamicUserByUID on org.freedesktop.systemd1.
 	init_dbus_chat(sysadm_t)
+
+	# Allow sysadm to get the status of and set properties of other users,
+	# sessions, and seats on the system.
+	systemd_dbus_chat_logind(sysadm_t)
 ')
 
 tunable_policy(`allow_ptrace',`
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 83f886344..7090a9136 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -602,6 +602,7 @@ allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
 allow systemd_logind_t self:fifo_file rw_fifo_file_perms;
 
 allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;
+allow systemd_logind_t systemd_logind_var_lib_t:file manage_file_perms;
 init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
 
 manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
@@ -725,8 +726,11 @@ ifdef(`distro_redhat',`
 
 tunable_policy(`systemd_logind_get_bootloader',`
 	fs_getattr_dos_fs(systemd_logind_t)
+	fs_getattr_xattr_fs(systemd_logind_t)
 	fs_list_dos(systemd_logind_t)
 	fs_read_dos_files(systemd_logind_t)
+
+	files_search_boot(systemd_logind_t)
 ')
 # systemd-logind uses util-linux's blkid in order to find the ESP (EFI System Partition).
 # This reads the first sectors of fixed disk devices.

From 26e9ec7c43279d759d38df1a2d336ad6fd748129 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Fri, 9 Apr 2021 09:00:55 -0400
Subject: [PATCH 31/34] authlogin: add new type for pwd.lock and others

This is in response to systemd needing to write to .pwd.lock in support
of dynamic users, which is currently labeled shadow_t despite systemd
seemingly not making any actual modifications to /etc/passwd or
/etc/shadow. Instead of granting potentially overly permissive access,
this commit assigns a new type to these lock files.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/authlogin.fc |  6 +++---
 policy/modules/system/authlogin.if | 20 ++++++++++++++++++++
 policy/modules/system/authlogin.te |  3 +++
 3 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index 7fd315706..95482bfcf 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -1,7 +1,7 @@
-/etc/\.pwd\.lock	--	gen_context(system_u:object_r:shadow_t,s0)
-/etc/group\.lock	--	gen_context(system_u:object_r:shadow_t,s0)
+/etc/\.pwd\.lock	--	gen_context(system_u:object_r:shadow_lock_t,s0)
+/etc/group\.lock	--	gen_context(system_u:object_r:shadow_lock_t,s0)
+/etc/passwd\.lock	--	gen_context(system_u:object_r:shadow_lock_t,s0)
 /etc/gshadow.*		--	gen_context(system_u:object_r:shadow_t,s0)
-/etc/passwd\.lock	--	gen_context(system_u:object_r:shadow_t,s0)
 /etc/shadow.*		--	gen_context(system_u:object_r:shadow_t,s0)
 
 /usr/bin/login		--	gen_context(system_u:object_r:login_exec_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 973195bd3..ce3ffc44a 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -679,6 +679,7 @@ interface(`auth_rw_shadow',`
 	')
 
 	files_list_etc($1)
+	auth_rw_shadow_lock($1)
 	allow $1 shadow_t:file rw_file_perms;
 	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
 ')
@@ -700,6 +701,7 @@ interface(`auth_manage_shadow',`
 		type shadow_t;
 	')
 
+	auth_rw_shadow_lock($1)
 	allow $1 shadow_t:file manage_file_perms;
 	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
 ')
@@ -771,6 +773,24 @@ interface(`auth_relabel_shadow',`
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
 
+########################################
+## <summary>
+##	Read/Write shadow lock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_rw_shadow_lock',`
+	gen_require(`
+		type shadow_lock_t;
+	')
+
+	rw_files_pattern($1, shadow_lock_t, shadow_lock_t)
+')
+
 #######################################
 ## <summary>
 ##	Append to the login failure log.
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 31f5503ec..2a3a29401 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -65,6 +65,9 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
 neverallow ~can_write_shadow_passwords shadow_t:file { create write };
 neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
 
+type shadow_lock_t;
+files_lock_file(shadow_lock_t)
+
 type updpwd_t;
 type updpwd_exec_t;
 domain_type(updpwd_t)

From c0b1c7be6666151f808a43438cdbed93769f5e78 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Fri, 9 Apr 2021 10:56:49 -0400
Subject: [PATCH 32/34] init: allow systemd to rw shadow lock files

This is in support of dynamic users.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/init.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 32b48ec53..b1afa4eb0 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -476,6 +476,8 @@ ifdef(`init_systemd',`
 	auth_relabel_login_records(init_t)
 	auth_relabel_pam_console_data_dirs(init_t)
 	auth_domtrans_chk_passwd(init_t)
+	# for systemd dynamic users
+	auth_rw_shadow_lock(init_t)
 
 	logging_manage_runtime_sockets(init_t)
 	logging_relabelto_devlog_sock_files(init_t)

From 8887862973839a0e8ec8ef47ee8bf89fdc7a8b10 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 12 Apr 2021 16:33:55 -0400
Subject: [PATCH 33/34] filesystem, init: allow systemd to create pstore dirs

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/kernel/filesystem.if | 19 +++++++++++++++++++
 policy/modules/system/init.te       |  1 +
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 0047ea89e..f6b997714 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -3868,6 +3868,25 @@ interface(`fs_getattr_pstore_dirs',`
 	dev_search_sysfs($1)
 ')
 
+########################################
+## <summary>
+##	Create pstore directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_create_pstore_dirs',`
+	gen_require(`
+		type pstore_t;
+	')
+
+	create_dirs_pattern($1, pstore_t, pstore_t)
+	dev_search_sysfs($1)
+')
+
 ########################################
 ## <summary>
 ##     Relabel to/from pstore_t directories.
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index b1afa4eb0..1b1a17d86 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -441,6 +441,7 @@ ifdef(`init_systemd',`
 	# mount-setup
 	fs_unmount_autofs(init_t)
 	fs_getattr_pstore_dirs(init_t)
+	fs_create_pstore_dirs(init_t)
 	# for network namespaces
 	fs_read_nsfs_files(init_t)
 

From cd340e1f6f64271c2ba9a90b738756e9648ada54 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Tue, 13 Apr 2021 16:48:54 -0400
Subject: [PATCH 34/34] bootloader, devices: dontaudit grub writing on legacy
 efi variables

Newer versions of grub modify EFI variables on efivarfs. This commit
adds a dontaudit on the legacy /sys/fs/efi/vars files.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/admin/bootloader.te |  2 ++
 policy/modules/kernel/devices.if   | 18 ++++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index 5eef8960b..be67f97e9 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -83,6 +83,8 @@ dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
 dev_read_rand(bootloader_t)
 dev_read_urand(bootloader_t)
 dev_read_sysfs(bootloader_t)
+# newer versions of grub use efivarfs to modify EFI variables; dontaudit legacy /sys/fs/efi/vars access
+dev_dontaudit_write_sysfs_files(bootloader_t)
 # needed on some hardware
 dev_rw_nvram(bootloader_t)
 
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 7dd0a5771..ae20e3365 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4473,6 +4473,24 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
 	dontaudit $1 sysfs_t:dir write;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to write to a sysfs file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_write_sysfs_files',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	dontaudit $1 sysfs_t:file write;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete sysfs