systemd related interfaces

This patch has interface changes related to systemd support as well as policy
that uses the new interfaces.

policy/modules/admin/sudo.if

@@ -154,6 +154,9 @@ template(`sudo_role_template',`
 
 	optional_policy(`
 		dbus_system_bus_client($1_sudo_t)
+		ifdef(`init_systemd',`
+			init_dbus_chat($1_sudo_t)
+		')
 	')
 
 	optional_policy(`

policy/modules/services/dbus.if

@@ -316,6 +316,25 @@ interface(`dbus_read_lib_files',`
 	read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 ')
 
+########################################
+## <summary>
+##	Relabel system dbus lib directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_relabel_lib_dirs',`
+	gen_require(`
+		type system_dbusd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 system_dbusd_var_lib_t:dir { relabelfrom relabelto };
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete

policy/modules/services/ntp.te

@@ -142,6 +142,8 @@ ifdef(`init_systemd',`
 	dbus_connect_system_bus(ntpd_t)
 	init_dbus_chat(ntpd_t)
 	init_get_system_status(ntpd_t)
+	# for /var/lib/systemd/timesync
+	init_read_var_lib_links(ntpd_t)
 	allow ntpd_t self:capability { fowner setpcap };
 	init_read_state(ntpd_t)
 	init_reload(ntpd_t)

policy/modules/system/init.if

@@ -1132,6 +1132,25 @@ interface(`init_dbus_chat',`
 	allow init_t $1:dbus send_msg;
 ')
 
+########################################
+## <summary>
+##      read/follow symlinks under /var/lib/systemd/
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`init_read_var_lib_links',`
+	gen_require(`
+		type init_var_lib_t;
+	')
+
+	allow $1 init_var_lib_t:dir list_dir_perms;
+	allow $1 init_var_lib_t:lnk_file read_lnk_file_perms;
+')
+
 ########################################
 ## <summary>
 ##      List /var/lib/systemd/ dir
@@ -1304,23 +1323,13 @@ interface(`init_pid_filetrans',`
 ## </param>
 #
 interface(`init_getattr_initctl',`
-	ifdef(`init_systemd',`
+	gen_require(`
-		# stat /run/systemd/initctl/fifo
+		type initctl_t;
-		gen_require(`
-			type init_var_run_t;
-		')
-
-		allow $1 init_var_run_t:fifo_file getattr;
-		allow $1 init_var_run_t:dir list_dir_perms;
-	',`
-		gen_require(`
-			type initctl_t;
-		')
-
-		dev_list_all_dev_nodes($1)
-		files_search_pids($1)
-		allow $1 initctl_t:fifo_file getattr;
 	')
+
+	files_search_pids($1)
+	dev_list_all_dev_nodes($1)
+	allow $1 initctl_t:fifo_file getattr;
 ')
 
 ########################################
@@ -1857,6 +1866,25 @@ interface(`init_ptrace',`
 	allow $1 init_t:process ptrace;
 ')
 
+########################################
+## <summary>
+##	get init process stats
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_getattr',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:process getattr;
+')
+
 ########################################
 ## <summary>
 ##	Write an init script unnamed pipe.
@@ -2822,6 +2850,25 @@ interface(`init_search_units',`
 	fs_search_tmpfs($1)
 ')
 
+######################################
+## <summary>
+##	read systemd unit lnk files (usually under /run/systemd/units/)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_read_unit_links',`
+	gen_require(`
+		type init_var_run_t, systemd_unit_t;
+	')
+
+	search_dirs_pattern($1, init_var_run_t, systemd_unit_t)
+	allow $1 init_var_run_t:lnk_file read_lnk_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Get status of generic systemd units.
@@ -3030,3 +3077,21 @@ interface(`init_admin',`
 	init_stop_system($1)
 	init_telinit($1)
 ')
+
+########################################
+## <summary>
+##      Allow getting init_t rlimit
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Source domain
+##      </summary>
+## </param>
+#
+interface(`init_getrlimit',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:process getrlimit;
+')

policy/modules/system/logging.te

@@ -541,10 +541,12 @@ ifdef(`init_systemd',`
 	dev_read_urand(syslogd_t)
 	dev_write_kmsg(syslogd_t)
 
+	domain_getattr_all_domains(syslogd_t)
 	domain_read_all_domains_state(syslogd_t)
 
 	init_create_pid_dirs(syslogd_t)
 	init_daemon_pid_file(syslogd_var_run_t, dir, "syslogd")
+	init_getattr(syslogd_t)
 	init_rename_pid_files(syslogd_t)
 	init_delete_pid_files(syslogd_t)
 	init_dgram_send(syslogd_t)

policy/modules/system/systemd.te

@@ -736,6 +736,7 @@ term_setattr_generic_ptys(systemd_nspawn_t)
 term_use_ptmx(systemd_nspawn_t)
 
 init_domtrans_script(systemd_nspawn_t)
+init_getrlimit(systemd_nspawn_t)
 init_kill_scripts(systemd_nspawn_t)
 init_read_state(systemd_nspawn_t)
 init_search_run(systemd_nspawn_t)
@@ -1027,6 +1028,7 @@ tunable_policy(`systemd_tmpfiles_manage_all',`
 
 optional_policy(`
 	dbus_read_lib_files(systemd_tmpfiles_t)
+	dbus_relabel_lib_dirs(systemd_tmpfiles_t)
 ')
 
 optional_policy(`