[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit:     fcafb3c5c807a5731ef1dca2f82dd6eae31fd76a
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Oct 12 13:31:18 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Oct 13 14:21:41 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fcafb3c5

Module version bump for patches from Jason Zaman/Matthias Dahl.

 policy/modules/kernel/filesystem.te | 2 +-
 policy/modules/system/ipsec.te      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index aba6d88..3c2224e 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.19.0)
+policy_module(filesystem, 1.19.1)
 
 ########################################
 #

diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index b9cfcc3..02fad03 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -1,4 +1,4 @@
-policy_module(ipsec, 1.15.1)
+policy_module(ipsec, 1.15.2)
 
 ########################################
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit:     b0cfc980dcefdffcdcf2929394278e3ea983a88c
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Dec 17 18:38:24 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Dec 18 04:12:51 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b0cfc980

Add permissions for ZFS list and send/recv

zfs list uses a pipe to get info from the kernel

avc:  granted  { write } for  pid=31602 comm="dump_list_strat" path="pipe:[4471132]" dev="pipefs" ino=4471132 scontext=system_u:system_r:kernel_t:s0 tcontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511 tclass=fifo_file
avc:  granted  { read } for pid=31601 comm="zfs" path="pipe:[4471132]" dev="pipefs" ino=4471132 scontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511 tcontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511 tclass=fifo_file

zfs send / recv is usually piped somewhere by sysadm
zfs send tank@snap | ssh foo tank@snap

 policy/modules/kernel/kernel.te | 9 +++++++++
 policy/modules/system/mount.te  | 3 +++
 2 files changed, 12 insertions(+)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 4ac22e0..f1016a3 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -461,4 +461,13 @@ ifdef(`distro_gentoo',`
 	# See also bug 535992
 	#dev_manage_all_dev_nodes(kernel_t)
 	dev_setattr_generic_chr_files(kernel_t)
+
+	# ZFS send/recv writes to an fd
+	optional_policy(`
+		sysadm_use_fds(kernel_t)
+	')
+	# zfs list writes to a pipe
+	optional_policy(`
+		mount_rw_pipes(kernel_t)
+	')
 ')

diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 497fa59..920abc7 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -42,6 +42,9 @@ application_domain(unconfined_mount_t, mount_exec_t)
 
 # setuid/setgid needed to mount cifs
 allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
+allow mount_t self:process signal;
+# zfs list uses pipes
+allow mount_t self:fifo_file rw_fifo_file_perms;
 
 mount_read_loopback_files(mount_t)
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit:     3fdae66e37713cc8633303fdd3f09032b422b095
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Mon Jan 11 18:14:55 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jan 30 17:16:56 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3fdae66e

Allow systemd services to use PrivateNetwork feature

systemd creates a new network namespace for services which are using
PrivateNetwork=yes.

In the implementation, systemd uses a socketpair as a storage buffer for
the namespace reference file descriptor (c.f.
https://github.com/systemd/systemd/blob/v228/src/core/namespace.c#L660).
One end of this socketpair is locked (hence the need of "lock" access to
self:unix_dgram_socket for init_t) while systemd opens
/proc/self/ns/net, which lives in nsfs.

While at it, add filesystem_type attribute to nsfs_t.

 policy/modules/kernel/filesystem.if | 17 +++++++++++++++++
 policy/modules/kernel/filesystem.te |  1 +
 policy/modules/system/init.te       |  3 +++
 3 files changed, 21 insertions(+)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 0db8233..b9b30da 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -3360,6 +3360,23 @@ interface(`fs_rw_nfsd_fs',`
 
 ########################################
 ## <summary>
+##	Read nsfs inodes (e.g. /proc/pid/ns/uts)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_nsfs_files',`
+	gen_require(`
+		type nsfs_t;
+	')
+
+	allow $1 nsfs_t:file read_file_perms;
+')
+########################################
+## <summary>
 ##	Getattr on pstore dirs.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 89de79d..04ea6b6 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -127,6 +127,7 @@ fs_type(nfsd_fs_t)
 genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
 
 type nsfs_t;
+fs_type(nsfs_t)
 genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0)
 
 type oprofilefs_t;

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index a7fa7c0..4006e4f 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -199,6 +199,7 @@ ifdef(`init_systemd',`
 	allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
 	allow init_t self:netlink_route_socket create_netlink_socket_perms;
 	allow init_t self:netlink_selinux_socket create_socket_perms;
+	allow init_t self:unix_dgram_socket lock;
 
 	manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
 	manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
@@ -260,6 +261,8 @@ ifdef(`init_systemd',`
 	# mount-setup
 	fs_unmount_autofs(init_t)
 	fs_getattr_pstore_dirs(init_t)
+	# for network namespaces
+	fs_read_nsfs_files(init_t)
 
 	# systemd_socket_activated policy
 	mls_socket_write_all_levels(init_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit:     d29f9c0dde403f826f376b43cf477439586f6091
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Jan 11 18:26:55 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jan 30 17:16:56 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d29f9c0d

Module version bump for systemd PrivateNetwork patch from Nicolas Iooss

 policy/modules/kernel/filesystem.te | 2 +-
 policy/modules/system/init.te       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 04ea6b6..6ee0996 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.20.1)
+policy_module(filesystem, 1.20.2)
 
 ########################################
 #

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 4006e4f..0aafb44 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.0.0)
+policy_module(init, 2.0.1)
 
 gen_require(`
 	class passwd rootok;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit:     812ae731d5b03900c178c14c2807ffd5ccff2dbc
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Feb  3 13:49:39 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 12 03:15:07 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=812ae731

Module version bump for efivarfs patches from Dan Walsh, Vit Mojzis, and Laurent Bigonville

 policy/modules/kernel/filesystem.te | 2 +-
 policy/modules/system/systemd.te    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 62d7c58..8de310b 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.20.3)
+policy_module(filesystem, 1.20.4)
 
 ########################################
 #

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 5565fd3..60a75fa 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.1.2)
+policy_module(systemd, 1.1.3)
 
 #########################################
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit:     7722827868d5bbedbfb4368816351e4e4c7a5868
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu Mar 31 12:32:18 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 13 05:07:33 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=77228278

Module version bump for patches from Dominick Grift and Lukas Vrabec.

 policy/modules/kernel/filesystem.te | 2 +-
 policy/modules/system/systemd.te    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 86d59bf..b45c28e 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.20.4)
+policy_module(filesystem, 1.20.5)
 
 ########################################
 #

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 6d40952..0bed23c 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.1.3)
+policy_module(systemd, 1.1.4)
 
 #########################################
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit:     7ac4b728b69e7ed058c3c1b51f7a23863c755168
Author:     Guido Trentalancia via refpolicy <refpolicy <AT> oss <DOT> tresys <DOT> com>
AuthorDate: Sat Oct 29 15:39:46 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 27 16:04:59 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7ac4b728

Let users read/manage symlinks on fs that do not support xattr

Let unprivileged and administrative users read symbolic links on
filesystems that do not support extended attributes (xattr) such
as cdroms, FAT, NTFS and so on.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++
 policy/modules/system/userdomain.if |  4 +++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 11fff8d..5de3a44 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -1257,6 +1257,24 @@ interface(`fs_read_noxattr_fs_symlinks',`
 
 ########################################
 ## <summary>
+##	Manage all noxattrfs symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_noxattr_fs_symlinks',`
+	gen_require(`
+		attribute noxattrfs;
+	')
+
+	manage_lnk_files_pattern($1, noxattrfs, noxattrfs)
+')
+
+########################################
+## <summary>
 ##	Relabel all objets from filesystems that
 ##	do not support extended attributes.
 ## </summary>

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index c4bef2b..e933890 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -609,10 +609,12 @@ template(`userdom_common_user_template',`
 	')
 
 	tunable_policy(`user_rw_noexattrfile',`
-		fs_manage_noxattr_fs_files($1_t)
 		fs_manage_noxattr_fs_dirs($1_t)
+		fs_manage_noxattr_fs_files($1_t)
+		fs_manage_noxattr_fs_symlinks($1_t)
 	',`
 		fs_read_noxattr_fs_files($1_t)
+		fs_read_noxattr_fs_symlinks($1_t)
 	')
 
 	tunable_policy(`user_ttyfile_stat',`

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit:     979cd96bf6b028a2d41af72a94d9e86c5d0b50d3
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Oct 30 18:31:50 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 27 16:05:00 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=979cd96b

Module version bumps for patches from Guido Trentalancia.

 policy/modules/kernel/filesystem.te |  2 +-
 policy/modules/kernel/kernel.te     |  2 +-
 policy/modules/kernel/terminal.te   |  2 +-
 policy/modules/system/modutils.te   | 10 +++-------
 policy/modules/system/userdomain.te |  2 +-
 5 files changed, 7 insertions(+), 11 deletions(-)

diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 12e4814..2e49c03 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.21.0)
+policy_module(filesystem, 1.21.1)
 
 ########################################
 #

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 811494f..20b922c 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,4 +1,4 @@
-policy_module(kernel, 1.21.0)
+policy_module(kernel, 1.21.1)
 
 ########################################
 #

diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index 30eb14e..63f43f7 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -1,4 +1,4 @@
-policy_module(terminal, 1.15.0)
+policy_module(terminal, 1.15.1)
 
 ########################################
 #

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 3b95f98..3bf9bff 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -1,16 +1,12 @@
-policy_module(modutils, 1.16.0)
+policy_module(modutils, 1.16.1)
 
 ########################################
 #
 # Declarations
 #
 
-type kmod_t;
-typealias kmod_t alias { insmod_t depmod_t update_modules_t };
-
-type kmod_exec_t;
-typealias kmod_exec_t alias { insmod_exec_t depmod_exec_t update_modules_exec_t };
-
+type kmod_t alias { insmod_t depmod_t update_modules_t };
+type kmod_exec_t alias { insmod_exec_t depmod_exec_t update_modules_exec_t };
 application_domain(kmod_t, kmod_exec_t)
 mls_file_write_all_levels(kmod_t)
 role system_r types kmod_t;

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index d147a56..67678c6 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.12.0)
+policy_module(userdomain, 4.12.1)
 
 ########################################
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit:     88b49ecb49e30198138612cead9beec8eab2acbc
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Dec 27 15:56:39 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan  1 16:26:28 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=88b49ecb

Module version bump for systemd patch from Nicolas Iooss.

 policy/modules/kernel/filesystem.te | 2 +-
 policy/modules/kernel/kernel.te     | 2 +-
 policy/modules/system/systemd.te    | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index a9c97ef..0471647 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.21.3)
+policy_module(filesystem, 1.21.4)
 
 ########################################
 #

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 45626b7..c6531a2 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,4 +1,4 @@
-policy_module(kernel, 1.21.3)
+policy_module(kernel, 1.21.4)
 
 ########################################
 #

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index cf22ba8..c93fc90 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.2.1)
+policy_module(systemd, 1.2.2)
 
 #########################################
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Sven Vermeulen]

commit:     2ee8cb27e92a136ad809c275920cc2a4fcdb5f5d
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Jan 10 01:34:15 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Jan 13 18:39:40 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2ee8cb27

Module version bumps for patches from cgzones.

 policy/modules/kernel/corenetwork.te.in | 2 +-
 policy/modules/kernel/files.te          | 2 +-
 policy/modules/kernel/terminal.te       | 2 +-
 policy/modules/system/logging.te        | 2 +-
 policy/modules/system/mount.te          | 2 +-
 policy/modules/system/unconfined.te     | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 6e0ac9d..771064a 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,4 +1,4 @@
-policy_module(corenetwork, 1.22.1)
+policy_module(corenetwork, 1.22.2)
 
 ########################################
 #

diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 484c7c8..306b969 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.22.3)
+policy_module(files, 1.22.4)
 
 ########################################
 #

diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index ac68855..4c6c38d 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -1,4 +1,4 @@
-policy_module(terminal, 1.15.2)
+policy_module(terminal, 1.15.3)
 
 ########################################
 #

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 5443405..20fcd39 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.24.3)
+policy_module(logging, 1.24.4)
 
 ########################################
 #

diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 4bfb93b..1700ba0 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -1,4 +1,4 @@
-policy_module(mount, 1.18.2)
+policy_module(mount, 1.18.3)
 
 ########################################
 #

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 7e942fc..0e06659 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,4 +1,4 @@
-policy_module(unconfined, 3.8.1)
+policy_module(unconfined, 3.8.2)
 
 ########################################
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit:     5b8acde37136f75ce5a52f1b6a0604d3f35dacc7
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Feb 24 01:03:23 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:22:23 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5b8acde3

Systemd fixes from Russell Coker.

 policy/modules/kernel/devices.if    |  37 +++++
 policy/modules/kernel/devices.te    |   6 +-
 policy/modules/kernel/files.if      | 127 +++++++++++++++
 policy/modules/kernel/files.te      |   6 +-
 policy/modules/system/authlogin.if  |   9 +
 policy/modules/system/authlogin.te  |   6 +-
 policy/modules/system/init.fc       |   2 +
 policy/modules/system/init.if       | 183 ++++++++++++++++++---
 policy/modules/system/init.te       | 317 +++++++++++++++++++++++++++++++++---
 policy/modules/system/logging.fc    |   5 +-
 policy/modules/system/logging.if    |  18 ++
 policy/modules/system/logging.te    |  36 +++-
 policy/modules/system/lvm.if        |  18 ++
 policy/modules/system/lvm.te        |   2 +-
 policy/modules/system/miscfiles.te  |   6 +-
 policy/modules/system/systemd.fc    |  11 +-
 policy/modules/system/systemd.if    | 122 +++++++++++++-
 policy/modules/system/systemd.te    |  49 +++++-
 policy/modules/system/udev.if       |  20 +++
 policy/modules/system/udev.te       |   2 +-
 policy/modules/system/unconfined.if |  19 +++
 policy/modules/system/unconfined.te |   2 +-
 policy/modules/system/userdomain.if |  71 ++++++++
 policy/modules/system/userdomain.te |   2 +-
 24 files changed, 1011 insertions(+), 65 deletions(-)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 08e2e8af..b51a25ac 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -154,6 +154,25 @@ interface(`dev_relabel_all_dev_nodes',`
 
 ########################################
 ## <summary>
+##     Allow full relabeling (to and from) of all device files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dev_relabel_all_dev_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	relabel_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
 ##	List all of the device nodes in a device directory.
 ## </summary>
 ## <param name="domain">
@@ -4206,6 +4225,24 @@ interface(`dev_rw_sysfs',`
 
 ########################################
 ## <summary>
+##     Relabel hardware state directories.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_relabel_sysfs_dirs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	relabel_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
 ##	Relabel from/to all sysfs types.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 66bc754e..470f0f00 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.20.2)
+policy_module(devices, 1.20.3)
 
 ########################################
 #
@@ -22,6 +22,10 @@ files_associate_tmp(device_t)
 fs_xattr_type(device_t)
 fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
 
+optional_policy(`
+	systemd_tmpfilesd_managed(device_t, fifo_file)
+')
+
 #
 # Type for /dev/agpgart
 #

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 6babfb90..0d6fe3c5 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6531,6 +6531,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
 
 ########################################
 ## <summary>
+##     manage all pidfile directories
+##     in the /var/run directory.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_manage_all_pid_dirs',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	manage_dirs_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
 ##	Read all process ID files.
 ## </summary>
 ## <param name="domain">
@@ -6553,6 +6572,42 @@ interface(`files_read_all_pids',`
 
 ########################################
 ## <summary>
+##     Execute generic programs in /var/run in the caller domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_exec_generic_pid_files',`
+	gen_require(`
+		type var_run_t;
+	')
+
+	exec_files_pattern($1, var_run_t, var_run_t)
+')
+
+########################################
+## <summary>
+##     Relable all pid files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_relabel_all_pid_files',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	relabel_files_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
 ##	Delete all process IDs.
 ## </summary>
 ## <param name="domain">
@@ -6579,6 +6634,78 @@ interface(`files_delete_all_pids',`
 
 ########################################
 ## <summary>
+##     Create all pid sockets
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_create_all_pid_sockets',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	allow $1 pidfile:sock_file create_sock_file_perms;
+')
+
+########################################
+## <summary>
+##     Create all pid named pipes
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_create_all_pid_pipes',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	allow $1 pidfile:fifo_file create_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##     Create all spool sockets
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_create_all_spool_sockets',`
+        gen_require(`
+                attribute spoolfile;
+        ')
+
+        allow $1 spoolfile:sock_file create_sock_file_perms;
+')
+
+########################################
+## <summary>
+##     Delete all spool sockets
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_delete_all_spool_sockets',`
+        gen_require(`
+                attribute spoolfile;
+        ')
+
+        allow $1 spoolfile:sock_file delete_sock_file_perms;
+')
+
+########################################
+## <summary>
 ##	Delete all process ID directories.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 7c861cc1..63ec6591 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.23.4)
+policy_module(files, 1.23.5)
 
 ########################################
 #
@@ -174,6 +174,10 @@ type var_run_t;
 files_pid_file(var_run_t)
 files_mountpoint(var_run_t)
 
+optional_policy(`
+	systemd_tmpfilesd_managed(var_run_t, lnk_file)
+')
+
 #
 # var_spool_t is the type of /var/spool
 #

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 55ce2bd2..5bac5fb3 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -162,9 +162,18 @@ interface(`auth_login_pgm_domain',`
 	seutil_read_config($1)
 	seutil_read_default_contexts($1)
 
+	userdom_search_user_runtime($1)
+	userdom_read_user_tmpfs_files($1)
+
 	tunable_policy(`allow_polyinstantiation',`
 		files_polyinstantiate_all($1)
 	')
+
+	optional_policy(`
+		systemd_read_logind_state($1)
+		systemd_write_inherited_logind_sessions_pipes($1)
+		systemd_use_passwd_agent_fds($1)
+	')
 ')
 
 ########################################

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index b4273689..43c83620 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,4 +1,4 @@
-policy_module(authlogin, 2.10.1)
+policy_module(authlogin, 2.10.2)
 
 ########################################
 #
@@ -85,6 +85,10 @@ files_type(var_auth_t)
 type wtmp_t;
 logging_log_file(wtmp_t)
 
+optional_policy(`
+	systemd_tmpfilesd_managed(faillog_t, file)
+')	systemd_tmpfilesd_managed(var_auth_t, dir)
+
 ########################################
 #
 # Check password local policy

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index fe085d15..b08e7a2a 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -57,7 +57,9 @@ ifdef(`distro_gentoo', `
 /run/runlevel\.dir		gen_context(system_u:object_r:initrc_var_run_t,s0)
 /run/random-seed	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 /run/setmixer_flag	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
+/run/sm-notify\.pid	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 /run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
+/run/wd_keepalive\.pid	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 
 ifdef(`distro_debian',`
 /run/hotkey-setup	--	gen_context(system_u:object_r:initrc_var_run_t,s0)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 4a36e12a..162ce266 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -209,7 +209,7 @@ interface(`init_ranged_domain',`
 #
 interface(`init_daemon_domain',`
 	gen_require(`
-		type initrc_t;
+		type init_t, initrc_t;
 		role system_r;
 		attribute daemon;
 	')
@@ -240,6 +240,8 @@ interface(`init_daemon_domain',`
 		init_domain($1, $2)
 		# this may be because of late labelling
 		kernel_dgram_send($1)
+
+		allow $1 init_t:unix_dgram_socket sendto;
 	')
 
 	optional_policy(`
@@ -400,8 +402,10 @@ interface(`init_system_domain',`
 	gen_require(`
 		type initrc_t;
 		role system_r;
+		attribute systemprocess;
 	')
 
+	typeattribute $1 systemprocess;
 	application_domain($1, $2)
 
 	role system_r types $1;
@@ -477,6 +481,24 @@ interface(`init_ranged_system_domain',`
 	')
 ')
 
+######################################
+## <summary>
+##	Allow domain dyntransition to init_t domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`init_dyntrans',`
+	gen_require(`
+		type init_t;
+	')
+
+	dyntrans_pattern($1, init_t)
+')
+
 ########################################
 ## <summary>
 ##	Mark the file type as a daemon pid file, allowing initrc_t
@@ -708,6 +730,7 @@ interface(`init_stream_connect',`
 
 	stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
 	files_search_pids($1)
+	allow $1 init_t:unix_stream_socket getattr;
 ')
 
 ########################################
@@ -1225,23 +1248,24 @@ interface(`init_write_initctl',`
 #
 interface(`init_telinit',`
 	gen_require(`
-		type initctl_t;
+		type initctl_t, init_t;
 	')
 
-	dev_list_all_dev_nodes($1)
+	ps_process_pattern($1, init_t)
+	allow $1 init_t:process signal;
+	# upstart uses a datagram socket instead of initctl pipe
+	allow $1 self:unix_dgram_socket create_socket_perms;
+	allow $1 init_t:unix_dgram_socket sendto;
+	#576913
+	allow $1 init_t:unix_stream_socket connectto;
+
 	allow $1 initctl_t:fifo_file rw_fifo_file_perms;
 
-	init_exec($1)
+	corecmd_exec_bin($1)
 
-	tunable_policy(`init_upstart',`
-		gen_require(`
-			type init_t;
-		')
+	dev_list_all_dev_nodes($1)
 
-		# upstart uses a datagram socket instead of initctl pipe
-		allow $1 self:unix_dgram_socket create_socket_perms;
-		allow $1 init_t:unix_dgram_socket sendto;
-	')
+	init_exec($1)
 ')
 
 ########################################
@@ -1370,6 +1394,37 @@ interface(`init_domtrans_script',`
 
 ########################################
 ## <summary>
+##	Execute labelled init scripts with an automatic domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`init_domtrans_labeled_script',`
+	gen_require(`
+		type initrc_t;
+		attribute init_script_file_type;
+		attribute initrc_transition_domain;
+	')
+
+	typeattribute $1 initrc_transition_domain;
+
+	files_list_etc($1)
+	domtrans_pattern($1, init_script_file_type, initrc_t)
+
+	ifdef(`enable_mcs',`
+		range_transition $1 init_script_file_type:process s0;
+	')
+
+	ifdef(`enable_mls',`
+		range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
+	')
+')
+
+########################################
+## <summary>
 ##	Execute a init script in a specified domain.
 ## </summary>
 ## <desc>
@@ -1440,8 +1495,10 @@ interface(`init_manage_script_service',`
 interface(`init_labeled_script_domtrans',`
 	gen_require(`
 		type initrc_t;
+		attribute initrc_transition_domain;
 	')
 
+	typeattribute $1 initrc_transition_domain;
 	domtrans_pattern($1, $2, initrc_t)
 	files_search_etc($1)
 ')
@@ -1574,6 +1631,7 @@ interface(`init_run_daemon',`
 interface(`init_startstop_all_script_services',`
 	gen_require(`
 		attribute init_script_file_type;
+		class service { start status stop };
 	')
 
 	allow $1 init_script_file_type:service { start status stop };
@@ -1789,12 +1847,7 @@ interface(`init_read_script_state',`
 	')
 
 	kernel_search_proc($1)
-	read_files_pattern($1, initrc_t, initrc_t)
-	read_lnk_files_pattern($1, initrc_t, initrc_t)
-	list_dirs_pattern($1, initrc_t, initrc_t)
-
-	# should move this to separate interface
-	allow $1 initrc_t:process getattr;
+	ps_process_pattern($1, initrc_t)
 ')
 
 ########################################
@@ -2378,7 +2431,7 @@ interface(`init_dontaudit_rw_utmp',`
 		type initrc_var_run_t;
 	')
 
-	dontaudit $1 initrc_var_run_t:file { getattr read write append lock };
+	dontaudit $1 initrc_var_run_t:file rw_file_perms;
 ')
 
 ########################################
@@ -2419,6 +2472,98 @@ interface(`init_pid_filetrans_utmp',`
 	files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
 ')
 
+#######################################
+## <summary>
+##	Create a directory in the /run/systemd directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_create_pid_dirs',`
+	gen_require(`
+		type init_var_run_t;
+	')
+
+	allow $1 init_var_run_t:dir list_dir_perms;
+	create_dirs_pattern($1, init_var_run_t, init_var_run_t)
+')
+
+########################################
+## <summary>
+##      Rename init_var_run_t files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      domain
+##      </summary>
+## </param>
+#
+interface(`init_rename_pid_files',`
+	gen_require(`
+		type init_var_run_t;
+	')
+
+	rename_files_pattern($1, init_var_run_t, init_var_run_t)
+')
+
+########################################
+## <summary>
+##      Rename and de init_var_run_t files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      domain
+##      </summary>
+## </param>
+#
+interface(`init_delete_pid_files',`
+	gen_require(`
+		type init_var_run_t;
+	')
+
+	delete_files_pattern($1, init_var_run_t, init_var_run_t)
+')
+
+#######################################
+## <summary>
+##  Allow the specified domain to write to
+##  init sock file.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`init_write_pid_socket',`
+    gen_require(`
+        type init_var_run_t;
+    ')
+
+    allow $1 init_var_run_t:sock_file write;
+')
+
+########################################
+## <summary>
+##	Read init unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_read_pid_pipes',`
+	gen_require(`
+		type init_var_run_t;
+	')
+
+	read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to connect to daemon with a tcp socket

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index a43bf19b..54ca2ceb 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.2.5)
+policy_module(init, 2.2.6)
 
 gen_require(`
 	class passwd rootok;
@@ -16,13 +16,22 @@ gen_require(`
 ## </desc>
 gen_tunable(init_upstart, false)
 
+## <desc>
+## <p>
+## Allow all daemons the ability to read/write terminals
+## </p>
+## </desc>
+gen_tunable(init_daemons_use_tty, false)
+
 attribute init_script_domain_type;
 attribute init_script_file_type;
 attribute init_run_all_scripts_domain;
 attribute systemdunit;
+attribute initrc_transition_domain;
 
 # Mark process types as daemons
 attribute daemon;
+attribute systemprocess;
 
 # Mark file type as a daemon pid file
 attribute daemonpidfile;
@@ -33,7 +42,7 @@ attribute daemonrundir;
 #
 # init_t is the domain of the init process.
 #
-type init_t;
+type init_t, initrc_transition_domain;
 type init_exec_t;
 domain_type(init_t)
 domain_entry_file(init_t, init_exec_t)
@@ -110,6 +119,7 @@ ifdef(`enable_mls',`
 
 # Use capabilities. old rule:
 allow init_t self:capability ~sys_module;
+allow init_t self:capability2 { wake_alarm block_suspend };
 # is ~sys_module really needed? observed:
 # sys_boot
 # sys_tty_config
@@ -128,6 +138,9 @@ allow init_t initrc_t:unix_stream_socket connectto;
 allow init_t init_var_run_t:file manage_file_perms;
 files_pid_filetrans(init_t, init_var_run_t, file)
 
+# for systemd to manage service file symlinks
+allow init_t init_var_run_t:file manage_lnk_file_perms;
+
 allow init_t initctl_t:fifo_file manage_fifo_file_perms;
 dev_filetrans(init_t, initctl_t, fifo_file)
 
@@ -147,6 +160,7 @@ dev_rw_generic_chr_files(init_t)
 
 domain_getpgid_all_domains(init_t)
 domain_kill_all_domains(init_t)
+domain_getattr_all_domains(init_t)
 domain_signal_all_domains(init_t)
 domain_signull_all_domains(init_t)
 domain_sigstop_all_domains(init_t)
@@ -199,6 +213,10 @@ ifdef(`init_systemd',`
 	# handle instances where an old labeled init script is encountered.
 	typeattribute init_t init_run_all_scripts_domain;
 
+	allow init_t systemprocess:process { dyntransition siginh };
+	allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
+	allow init_t systemprocess:unix_dgram_socket create_socket_perms;
+
 	allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setcap setrlimit };
 	allow init_t self:capability2 { audit_read block_suspend };
 	allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -206,6 +224,18 @@ ifdef(`init_systemd',`
 	allow init_t self:netlink_selinux_socket create_socket_perms;
 	allow init_t self:unix_dgram_socket lock;
 
+	allow init_t daemon:unix_stream_socket create_stream_socket_perms;
+	allow init_t daemon:unix_dgram_socket create_socket_perms;
+	allow init_t daemon:tcp_socket create_stream_socket_perms;
+	allow init_t daemon:udp_socket create_socket_perms;
+	allow daemon init_t:unix_dgram_socket sendto;
+
+	allow init_run_all_scripts_domain systemdunit:service { status start stop };
+
+	allow systemprocess init_t:unix_dgram_socket sendto;
+	allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl };
+
+	allow daemon init_t:unix_stream_socket { append write read getattr ioctl };
 	manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
 	manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
 	manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t)
@@ -269,6 +299,9 @@ ifdef(`init_systemd',`
 	# for network namespaces
 	fs_read_nsfs_files(init_t)
 
+	# need write to /var/run/systemd/notify
+	init_write_pid_socket(daemon)
+
 	# systemd_socket_activated policy
 	mls_socket_write_all_levels(init_t)
 
@@ -355,6 +388,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	udev_read_db(init_t)
+	udev_relabelto_db(init_t)
+')
+
+optional_policy(`
 	unconfined_domain(init_t)
 ')
 
@@ -403,11 +441,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
 
+allow initrc_t daemon:process siginh;
+
 can_exec(initrc_t, initrc_tmp_t)
 manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
 manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
 manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
 files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
+allow initrc_t initrc_tmp_t:dir relabelfrom;
 
 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
 manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
@@ -450,6 +491,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
 
 dev_read_rand(initrc_t)
 dev_read_urand(initrc_t)
+dev_dontaudit_read_kmsg(initrc_t)
 dev_write_kmsg(initrc_t)
 dev_write_rand(initrc_t)
 dev_write_urand(initrc_t)
@@ -460,8 +502,10 @@ dev_write_framebuffer(initrc_t)
 dev_read_realtime_clock(initrc_t)
 dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
+dev_setattr_generic_dirs(initrc_t)
 dev_setattr_all_chr_files(initrc_t)
 dev_rw_lvm_control(initrc_t)
+dev_rw_generic_chr_files(initrc_t)
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
@@ -469,17 +513,16 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
-# Early devtmpfs
-dev_rw_generic_chr_files(initrc_t)
+dev_rw_xserver_misc(initrc_t)
 
 domain_kill_all_domains(initrc_t)
 domain_signal_all_domains(initrc_t)
 domain_signull_all_domains(initrc_t)
 domain_sigstop_all_domains(initrc_t)
+domain_sigstop_all_domains(initrc_t)
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
-domain_dontaudit_ptrace_all_domains(initrc_t)
 domain_getsession_all_domains(initrc_t)
 domain_use_interactive_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
@@ -487,6 +530,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
 domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
 domain_dontaudit_getattr_all_pipes(initrc_t)
+domain_obj_id_change_exemption(initrc_t)
 
 files_getattr_all_dirs(initrc_t)
 files_getattr_all_files(initrc_t)
@@ -494,8 +538,10 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
-files_delete_all_locks(initrc_t)
+files_manage_all_locks(initrc_t)
+files_manage_boot_files(initrc_t)
 files_read_all_pids(initrc_t)
+files_delete_root_files(initrc_t)
 files_delete_all_pids(initrc_t)
 files_delete_all_pid_dirs(initrc_t)
 files_read_etc_files(initrc_t)
@@ -509,8 +555,12 @@ files_manage_generic_spool(initrc_t)
 # cjp: not sure why these are here; should use mount policy
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
+files_manage_mnt_dirs(initrc_t)
+files_manage_mnt_files(initrc_t)
 
-fs_write_cgroup_files(initrc_t)
+fs_delete_cgroup_dirs(initrc_t)
+fs_list_cgroup_dirs(initrc_t)
+fs_rw_cgroup_files(initrc_t)
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
@@ -520,9 +570,13 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
+fs_search_all(initrc_t)
+fs_getattr_nfsd_files(initrc_t)
 
 # initrc_t needs to do a pidof which requires ptrace
 mcs_ptrace_all(initrc_t)
+mcs_file_read_all(initrc_t)
+mcs_file_write_all(initrc_t)
 mcs_killall(initrc_t)
 mcs_process_set_categories(initrc_t)
 
@@ -532,6 +586,7 @@ mls_process_read_all_levels(initrc_t)
 mls_process_write_all_levels(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
+mls_socket_write_to_clearance(initrc_t)
 
 selinux_get_enforce_mode(initrc_t)
 
@@ -550,6 +605,11 @@ auth_delete_pam_pid(initrc_t)
 auth_delete_pam_console_data(initrc_t)
 auth_use_nsswitch(initrc_t)
 
+init_get_system_status(initrc_t)
+init_stream_connect(initrc_t)
+init_start_all_units(initrc_t)
+init_stop_all_units(initrc_t)
+
 libs_rw_ld_so_cache(initrc_t)
 libs_exec_lib_files(initrc_t)
 libs_exec_ld_so(initrc_t)
@@ -563,7 +623,7 @@ logging_read_audit_config(initrc_t)
 
 miscfiles_read_localization(initrc_t)
 # slapd needs to read cert files from its initscript
-miscfiles_read_generic_certs(initrc_t)
+miscfiles_manage_generic_cert_files(initrc_t)
 
 seutil_read_config(initrc_t)
 
@@ -571,7 +631,7 @@ userdom_read_user_home_content_files(initrc_t)
 # Allow access to the sysadm TTYs. Note that this will give access to the
 # TTYs to any process in the initrc_t domain. Therefore, daemons and such
 # started from init should be placed in their own domain.
-userdom_use_user_terminals(initrc_t)
+userdom_use_inherited_user_terminals(initrc_t)
 
 ifdef(`distro_debian',`
 	kernel_getattr_core_if(initrc_t)
@@ -643,6 +703,10 @@ ifdef(`distro_gentoo',`
 	sysnet_setattr_config(initrc_t)
 
 	optional_policy(`
+		abrt_manage_pid_files(initrc_t)
+	')
+
+	optional_policy(`
 		alsa_read_lib(initrc_t)
 	')
 
@@ -663,7 +727,7 @@ ifdef(`distro_redhat',`
 
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
-	kernel_dontaudit_use_fds(initrc_t)
+	kernel_use_fds(initrc_t)
 	files_dontaudit_read_root_files(initrc_t)
 
 	# These seem to be from the initrd
@@ -707,8 +771,25 @@ ifdef(`distro_redhat',`
 	')
 
 	optional_policy(`
+		abrt_manage_pid_files(initrc_t)
+	')
+
+	optional_policy(`
 		bind_manage_config_dirs(initrc_t)
 		bind_write_config(initrc_t)
+		bind_setattr_zone_dirs(initrc_t)
+	')
+
+	optional_policy(`
+		devicekit_append_inherited_log_files(initrc_t)
+	')
+
+	optional_policy(`
+		gnome_manage_gconf_config(initrc_t)
+	')
+
+	optional_policy(`
+		pulseaudio_stream_connect(initrc_t)
 	')
 
 	optional_policy(`
@@ -716,6 +797,9 @@ ifdef(`distro_redhat',`
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
+	optional_policy(`
+		rpcbind_stream_connect(initrc_t)
+	')
 
 	optional_policy(`
 		sysnet_rw_dhcp_config(initrc_t)
@@ -734,7 +818,32 @@ ifdef(`distro_suse',`
 	')
 ')
 
+ifdef(`enabled_mls',`
+	optional_policy(`
+		# allow init scripts to su
+		su_restricted_domain_template(initrc, initrc_t, system_r)
+		# Allow initrc_su_t, now defined, to transition to postgresql_t
+		postgresql_domtrans(initrc_su_t)
+		# Allow initrc_su_t to use the initrc_devpts_t (needed for init script failure output)
+		allow initrc_su_t initrc_devpts_t:chr_file { read write };
+	')
+')
+
 ifdef(`init_systemd',`
+	allow init_t self:system { status reboot halt reload };
+
+	allow init_t self:unix_dgram_socket { create_socket_perms sendto };
+	allow init_t self:process { setsockcreate setfscreate setrlimit };
+	allow init_t self:process { getcap setcap };
+	allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
+	allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
+	# Until systemd is fixed
+	allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
+	allow init_t self:udp_socket create_socket_perms;
+	allow init_t self:netlink_route_socket create_netlink_socket_perms;
+	allow init_t initrc_t:unix_dgram_socket create_socket_perms;
+	allow initrc_t init_t:system { status reboot halt reload };
+	allow init_t self:capability2 audit_read;
 	manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)
 	files_lock_filetrans(initrc_t, initrc_lock_t, file)
 
@@ -746,11 +855,25 @@ ifdef(`init_systemd',`
 	files_pid_filetrans(initrc_t, initrc_var_run_t, dir_file_class_set)
 
 	create_dirs_pattern(initrc_t, systemd_unit_t, systemd_unit_t)
+	allow initrc_t systemd_unit_t:service reload;
 
 	manage_files_pattern(initrc_t, systemdunit, systemdunit)
 	manage_lnk_files_pattern(initrc_t, systemdunit, systemdunit)
+	allow initrc_t systemdunit:service reload;
+	allow initrc_t init_script_file_type:service { stop start status reload };
 
 	kernel_dgram_send(initrc_t)
+	kernel_list_unlabeled(init_t)
+	kernel_read_network_state(init_t)
+	kernel_rw_kernel_sysctl(init_t)
+	kernel_rw_net_sysctls(init_t)
+	kernel_read_all_sysctls(init_t)
+	kernel_read_software_raid_state(init_t)
+	kernel_unmount_debugfs(init_t)
+	kernel_setsched(init_t)
+
+	auth_relabel_login_records(init_t)
+	auth_relabel_pam_console_data_dirs(init_t)
 
 	# run systemd misc initializations
 	# in the initrc_t domain, as would be
@@ -760,28 +883,83 @@ ifdef(`init_systemd',`
 	corecmd_bin_domtrans(init_t, initrc_t)
 	corecmd_shell_domtrans(init_t, initrc_t)
 
-	files_read_boot_files(initrc_t)
+	dev_write_kmsg(init_t)
+	dev_write_urand(init_t)
+	dev_rw_lvm_control(init_t)
+	dev_rw_autofs(init_t)
+	dev_manage_generic_symlinks(init_t)
+	dev_manage_generic_dirs(init_t)
+	dev_manage_generic_files(init_t)
+	dev_manage_null_service(initrc_t)
+	dev_read_generic_chr_files(init_t)
+	dev_relabel_generic_dev_dirs(init_t)
+	dev_relabel_all_dev_nodes(init_t)
+	dev_relabel_all_dev_files(init_t)
+	dev_manage_sysfs_dirs(init_t)
+	dev_relabel_sysfs_dirs(init_t)
+	# systemd writes to /dev/watchdog on shutdown
+	dev_write_watchdog(init_t)
+
 	# Allow initrc_t to check /etc/fstab "service." It appears that
 	# systemd is conflating files and services.
+	files_create_all_pid_pipes(init_t)
+	files_create_all_pid_sockets(init_t)
+	files_create_all_spool_sockets(init_t)
+	files_create_lock_dirs(init_t)
+	files_delete_all_pids(init_t)
+	files_delete_all_spool_sockets(init_t)
+	files_exec_generic_pid_files(init_t)
 	files_get_etc_unit_status(initrc_t)
+	files_list_locks(init_t)
+	files_list_spool(init_t)
+	files_list_var(init_t)
+	files_manage_all_pid_dirs(init_t)
+	files_manage_generic_tmp_dirs(init_t)
+	files_manage_urandom_seed(init_t)
+	files_mounton_all_mountpoints(init_t)
+	files_read_boot_files(initrc_t)
+	files_relabel_all_lock_dirs(init_t)
+	files_relabel_all_pid_dirs(init_t)
+	files_relabel_all_pid_files(init_t)
+	files_search_all(init_t)
 	files_setattr_pid_dirs(initrc_t)
+	files_unmount_all_file_type_fs(init_t)
 
-	selinux_set_enforce_mode(initrc_t)
+	fs_getattr_all_fs(init_t)
+	fs_list_auto_mountpoints(init_t)
+	fs_manage_cgroup_dirs(init_t)
+	fs_manage_cgroup_files(init_t)
+	fs_manage_hugetlbfs_dirs(init_t)
+	fs_manage_tmpfs_dirs(init_t)
+	fs_mount_all_fs(init_t)
+	fs_remount_all_fs(init_t)
+	fs_unmount_all_fs(init_t)
+	fs_search_cgroup_dirs(daemon)
 
-	init_stream_connect(initrc_t)
+	init_get_all_units_status(initrc_t)
 	init_manage_var_lib_files(initrc_t)
+	init_read_script_state(init_t)
 	init_rw_stream_sockets(initrc_t)
-	init_get_all_units_status(initrc_t)
 	init_stop_all_units(initrc_t)
+	init_stream_connect(initrc_t)
 
 	# Create /etc/audit.rules.prev after firstboot remediation
 	logging_manage_audit_config(initrc_t)
 
+	selinux_compute_create_context(init_t)
+	selinux_set_enforce_mode(initrc_t)
+	selinux_unmount_fs(init_t)
+	selinux_validate_context(init_t)
 	# lvm2-activation-generator checks file labels
 	seutil_read_file_contexts(initrc_t)
+	seutil_read_file_contexts(init_t)
 
+	storage_getattr_removable_dev(init_t)
+	systemd_manage_all_units(init_t)
 	systemd_start_power_units(initrc_t)
 
+	term_relabel_pty_dirs(init_t)
+
 	optional_policy(`
 		# create /var/lock/lvm/
 		lvm_create_lock_dirs(initrc_t)
@@ -800,6 +978,8 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
+	# webmin seems to cause this.
+	apache_search_sys_content(daemon)
 ')
 
 optional_policy(`
@@ -821,6 +1001,7 @@ optional_policy(`
 
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
+	domain_setpriority_all_domains(initrc_t)
 ')
 
 optional_policy(`
@@ -837,6 +1018,12 @@ optional_policy(`
 ')
 
 optional_policy(`
+	cron_read_pipes(initrc_t)
+	# managing /etc/cron.d/mailman content
+	cron_manage_system_spool(initrc_t)
+')
+
+optional_policy(`
 	dev_getattr_printer_dev(initrc_t)
 
 	cups_read_log(initrc_t)
@@ -853,9 +1040,13 @@ optional_policy(`
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
+	dbus_manage_lib_files(initrc_t)
+
+	init_dbus_chat(initrc_t)
 
 	optional_policy(`
 		consolekit_dbus_chat(initrc_t)
+		consolekit_manage_log(initrc_t)
 	')
 
 	optional_policy(`
@@ -897,6 +1088,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	modutils_read_module_config(initrc_t)
+	modutils_domtrans_insmod(initrc_t)
+')
+
+optional_policy(`
 	inn_exec_config(initrc_t)
 ')
 
@@ -937,6 +1133,7 @@ optional_policy(`
 	lpd_list_spool(initrc_t)
 
 	lpd_read_config(initrc_t)
+	lpd_manage_spool(init_t)
 ')
 
 optional_policy(`
@@ -960,6 +1157,7 @@ optional_policy(`
 
 optional_policy(`
 	mta_read_config(initrc_t)
+	mta_write_config(initrc_t)
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
 
@@ -982,6 +1180,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	plymouthd_stream_connect(initrc_t)
+')
+
+optional_policy(`
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
@@ -1024,8 +1226,6 @@ optional_policy(`
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
 
-	# why is this needed:
-	rpm_manage_db(initrc_t)
 ')
 
 optional_policy(`
@@ -1044,15 +1244,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	# allow init scripts to su
-	su_restricted_domain_template(initrc, initrc_t, system_r)
-	# Allow initrc_su_t, now defined, to transition to postgresql_t
-	postgresql_domtrans(initrc_su_t)
-	# Allow initrc_su_t to use the initrc_devpts_t (needed for init script failure output)
-	allow initrc_su_t initrc_devpts_t:chr_file { read write };
-')
-
-optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
 	ssh_setattr_key_files(initrc_t)
 ')
@@ -1066,7 +1257,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	udev_rw_db(initrc_t)
 	udev_manage_pid_files(initrc_t)
 	udev_manage_pid_dirs(initrc_t)
 	udev_manage_rules_files(initrc_t)
@@ -1082,6 +1272,12 @@ optional_policy(`
 ')
 
 optional_policy(`
+	domain_role_change_exemption(initrc_t)
+
+	mcs_file_read_all(initrc_t)
+	mcs_file_write_all(initrc_t)
+	mcs_killall(initrc_t)
+
 	unconfined_domain(initrc_t)
 
 	ifdef(`distro_redhat',`
@@ -1092,6 +1288,15 @@ optional_policy(`
 	optional_policy(`
 		mono_domtrans(initrc_t)
 	')
+
+	optional_policy(`
+		rtkit_scheduled(initrc_t)
+	')
+')
+
+optional_policy(`
+	rpm_read_db(initrc_t)
+	rpm_delete_db(initrc_t)
 ')
 
 optional_policy(`
@@ -1178,3 +1383,63 @@ ifdef(`distro_gentoo',`
 		udev_pid_filetrans_rules(initrc_t, dir, "rules.d")
 	')
 ')
+
+########################################
+#
+# Rules applied to all daemons
+#
+
+domain_dontaudit_use_interactive_fds(daemon)
+
+# daemons started from init will
+# inherit fds from init for the console
+term_dontaudit_use_console(daemon)
+
+init_dontaudit_use_fds(daemon)
+# init script ptys are the stdin/out/err
+# when using run_init
+init_use_script_ptys(daemon)
+
+tunable_policy(`init_daemons_use_tty',`
+	term_use_unallocated_ttys(daemon)
+	term_use_generic_ptys(daemon)
+	term_use_all_ttys(daemon)
+	term_use_all_ptys(daemon)
+',`
+	term_dontaudit_use_unallocated_ttys(daemon)
+	term_dontaudit_use_generic_ptys(daemon)
+	term_dontaudit_use_all_ttys(daemon)
+	term_dontaudit_use_all_ptys(daemon)
+ ')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_dontaudit_rw_nfs_files(daemon)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_dontaudit_rw_cifs_files(daemon)
+')
+
+optional_policy(`
+	unconfined_dontaudit_rw_pipes(daemon)
+	unconfined_dontaudit_rw_stream_sockets(daemon)
+')
+
+optional_policy(`
+	userdom_dontaudit_rw_all_users_stream_sockets(daemon)
+	userdom_dontaudit_read_user_tmp_files(daemon)
+	userdom_dontaudit_write_user_tmp_files(daemon)
+')
+
+########################################
+#
+# Rules applied to all system processes
+#
+
+dontaudit systemprocess init_t:unix_stream_socket getattr;
+
+optional_policy(`
+	userdom_dontaudit_search_user_home_dirs(systemprocess)
+	userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
+	userdom_dontaudit_write_user_tmp_files(systemprocess)
+')

diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 6258954a..b7098cd5 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -8,8 +8,9 @@
 
 /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
 /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
-/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
 /usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
+/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/usr/lib/systemd/systemd-kmsg-syslogd	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 
 /usr/sbin/audispd	--	gen_context(system_u:object_r:audisp_exec_t,s0)
 /usr/sbin/audisp-remote	--	gen_context(system_u:object_r:audisp_remote_exec_t,s0)
@@ -54,6 +55,8 @@ ifdef(`distro_redhat',`
 /var/named/chroot/dev/log -s	gen_context(system_u:object_r:devlog_t,s0)
 ')
 
+/var/run/systemd/journal/stdout -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+
 /run/audit_events	-s	gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
 /run/audispd_events	-s	gen_context(system_u:object_r:audisp_var_run_t,mls_systemhigh)
 /run/auditd\.pid	--	gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)

diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index ba463497..102c4319 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -841,6 +841,24 @@ interface(`logging_append_all_logs',`
 
 ########################################
 ## <summary>
+##      Append to all log files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`logging_append_all_inherited_logs',`
+	gen_require(`
+		attribute logfile;
+	')
+
+	allow $1 logfile:file { getattr append ioctl lock };
+')
+
+########################################
+## <summary>
 ##	Read all log files.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 10d2fc9f..9a6c714a 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.25.2)
+policy_module(logging, 1.25.3)
 
 ########################################
 #
@@ -396,6 +396,7 @@ allow syslogd_t syslog_conf_t:file read_file_perms;
 # Create and bind to /dev/log or /var/run/log.
 allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
 files_pid_filetrans(syslogd_t, devlog_t, sock_file)
+init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")
 
 # create/append log files.
 manage_files_pattern(syslogd_t, var_log_t, var_log_t)
@@ -405,6 +406,9 @@ files_search_spool(syslogd_t)
 # Allow access for syslog-ng
 allow syslogd_t var_log_t:dir { create setattr };
 
+# for systemd but can not be conditional
+files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log")
+
 # manage temporary files
 manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
 manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
@@ -416,6 +420,7 @@ files_search_var_lib(syslogd_t)
 # manage pid file
 manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
 files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
+allow syslogd_t syslogd_var_run_t:dir create_dir_perms;
 
 kernel_read_system_state(syslogd_t)
 kernel_read_network_state(syslogd_t)
@@ -499,22 +504,41 @@ logging_send_syslog_msg(syslogd_t)
 
 miscfiles_read_localization(syslogd_t)
 
+seutil_read_config(syslogd_t)
+
 userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
 userdom_dontaudit_search_user_home_dirs(syslogd_t)
 
 ifdef(`init_systemd',`
-	# systemd-journald permissions
-
-	allow syslogd_t self:capability { chown setgid setuid };
+	# for systemd-journal
+	allow syslogd_t self:netlink_audit_socket connected_socket_perms;
+	allow syslogd_t self:capability2 audit_read;
+	allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
 	allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write };
+	allow syslogd_t init_var_run_t:file { read write create open };
+	allow syslogd_t var_run_t:dir create;
 
-	kernel_use_fds(syslogd_t)
 	kernel_getattr_dgram_sockets(syslogd_t)
-	kernel_rw_unix_dgram_sockets(syslogd_t)
+	kernel_read_ring_buffer(syslogd_t)
 	kernel_rw_stream_sockets(syslogd_t)
+	kernel_rw_unix_dgram_sockets(syslogd_t)
+	kernel_use_fds(syslogd_t)
+
+	dev_read_kmsg(syslogd_t)
+	dev_read_urand(syslogd_t)
+	dev_write_kmsg(syslogd_t)
 
+	domain_read_all_domains_state(syslogd_t)
+
+	init_create_pid_dirs(syslogd_t)
 	init_daemon_pid_file(syslogd_var_run_t, dir, "syslogd")
+	init_rename_pid_files(syslogd_t)
+	init_delete_pid_files(syslogd_t)
 	init_dgram_send(syslogd_t)
+	init_read_pid_pipes(syslogd_t)
+	init_read_state(syslogd_t)
+
+	systemd_manage_journal_files(syslogd_t)
 
 	udev_read_pid_files(syslogd_t)
 ')

diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index 5774034f..88fa9442 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -125,6 +125,24 @@ interface(`lvm_create_lock_dirs',`
 	files_add_entry_lock_dirs($1)
 ')
 
+########################################
+## <summary>
+##      Read and write a lvm unnamed pipe.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`lvm_rw_inherited_pid_pipes',`
+	gen_require(`
+		type lvm_var_run_t;
+	')
+
+	allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
 ######################################
 ## <summary>
 ##	Execute a domain transition to run clvmd.

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 58e03ff2..f8fed91d 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -1,4 +1,4 @@
-policy_module(lvm, 1.19.2)
+policy_module(lvm, 1.19.3)
 
 ########################################
 #

diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index 85a29e3d..ec4d8dc0 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -1,4 +1,4 @@
-policy_module(miscfiles, 1.12.0)
+policy_module(miscfiles, 1.12.1)
 
 ########################################
 #
@@ -41,6 +41,10 @@ files_type(locale_t)
 type man_t alias catman_t;
 files_type(man_t)
 
+optional_policy(`
+	systemd_tmpfilesd_managed(man_t, dir)
+')
+
 type man_cache_t;
 files_type(man_cache_t)
 

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 6eb0a5a3..2264336d 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -7,6 +7,7 @@
 /usr/bin/systemd-stdio-bridge		--	gen_context(system_u:object_r:systemd_stdio_bridge_exec_t,s0)
 /usr/bin/systemd-tmpfiles		--	gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
 /usr/bin/systemd-tty-ask-password-agent	--	gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
+/usr/bin/systemd-notify			--	gen_context(system_u:object_r:systemd_notify_exec_t,s0)
 
 /usr/lib/systemd/systemd-activate	--	gen_context(system_u:object_r:systemd_activate_exec_t,s0)
 /usr/lib/systemd/systemd-backlight	--	gen_context(system_u:object_r:systemd_backlight_exec_t,s0)
@@ -32,15 +33,21 @@
 /usr/lib/systemd/system/systemd-binfmt.*	--	gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
 
 /var/lib/systemd/backlight(/.*)?	gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
+/var/lib/systemd/coredump(/.*)?	gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
 /var/lib/systemd/linger(/.*)?	gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
 
 /run/\.nologin[^/]*	--	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
 /run/nologin	--	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
 
 /run/systemd/resolve(/.*)?  gen_context(system_u:object_r:systemd_resolved_var_run_t,s0)
-/run/systemd/seats(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
-/run/systemd/sessions(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/run/systemd/seats(/.*)?	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
+/run/systemd/sessions(/.*)?	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
 /run/systemd/transient(/.*)?	gen_context(system_u:object_r:systemd_unit_t,s0)
 /run/systemd/users(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
 /run/systemd/inhibit(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/run/systemd/nspawn(/.*)?	gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
+/run/systemd/machines(/.*)?	gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
 /run/tmpfiles\.d/kmod.conf	gen_context(system_u:object_r:systemd_kmod_conf_t,s0)
+
+/var/log/journal(/.*)?		gen_context(system_u:object_r:systemd_journal_t,s0)
+/var/run/log/journal(/.*)?	gen_context(system_u:object_r:systemd_journal_t,s0)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index b07d2c5b..69ee084f 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -35,7 +35,8 @@ interface(`systemd_read_logind_pids',`
 	')
 
 	files_search_pids($1)
-	read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
+	allow $1 systemd_logind_var_run_t:dir list_dir_perms;
+	allow $1 systemd_logind_var_run_t:file read_file_perms;
 ')
 
 ######################################
@@ -76,6 +77,26 @@ interface(`systemd_use_logind_fds',`
 	allow $1 systemd_logind_t:fd use;
 ')
 
+######################################
+## <summary>
+##      Write inherited logind sessions pipes.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_write_inherited_logind_sessions_pipes',`
+	gen_require(`
+		type systemd_logind_t, systemd_sessions_var_run_t;
+	')
+
+	allow $1 systemd_logind_t:fd use;
+	allow $1 systemd_sessions_var_run_t:fifo_file write;
+	allow systemd_logind_t $1:process signal;
+')
+
 ########################################
 ## <summary>
 ##   Send and receive messages from
@@ -116,6 +137,29 @@ interface(`systemd_write_kmod_files',`
 	write_files_pattern($1, var_run_t, systemd_kmod_conf_t)
 ')
 
+#######################################
+## <summary>
+##  Allow systemd_tmpfiles_t to manage filesystem objects
+## </summary>
+## <param name="type">
+## <summary>
+##  type of object to manage
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+##  object class to manage
+## </summary>
+## </param>
+#
+interface(`systemd_tmpfilesd_managed',`
+	gen_require(`
+		type systemd_tmpfiles_t;
+	')
+
+	allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
+')
+
 ########################################
 ## <summary>
 ##   Allow process to relabel to systemd_kmod_conf_t.
@@ -137,6 +181,82 @@ interface(`systemd_relabelto_kmod_files',`
 
 ########################################
 ## <summary>
+##      allow systemd_passwd_agent to inherit fds
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain that owns the fds
+##      </summary>
+## </param>
+#
+interface(`systemd_use_passwd_agent_fds',`
+	gen_require(`
+		type systemd_passwd_agent_t;
+	')
+
+	allow systemd_passwd_agent_t $1:fd use;
+')
+
+########################################
+## <summary>
+##      Transition to systemd_passwd_var_run_t when creating dirs
+## </summary>
+## <param name="domain">
+##      <summary>
+##	Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_filetrans_passwd_runtime_dirs',`
+	gen_require(`
+		type systemd_passwd_var_run_t;
+	')
+
+	init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block")
+	init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password")
+')
+
+########################################
+## <summary>
+##      manage systemd unit dirs and the files in them
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_manage_all_units',`
+	gen_require(`
+		attribute systemdunit;
+	')
+
+	manage_dirs_pattern($1, systemdunit, systemdunit)
+	manage_files_pattern($1, systemdunit, systemdunit)
+	manage_lnk_files_pattern($1, systemdunit, systemdunit)
+')
+
+########################################
+## <summary>
+##      Allow domain to create/manage systemd_journal_t files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_manage_journal_files',`
+	gen_require(`
+		type systemd_logind_t;
+	')
+
+	manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
+	manage_files_pattern($1, systemd_journal_t, systemd_journal_t)
+')
+
+########################################
+## <summary>
 ##     Allow systemd_logind_t to read process state for cgroup file
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 904c777a..19e6947a 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.3.5)
+policy_module(systemd, 1.3.6)
 
 #########################################
 #
@@ -12,6 +12,14 @@ policy_module(systemd, 1.3.5)
 ## </desc>
 gen_tunable(systemd_tmpfiles_manage_all, false)
 
+## <desc>
+## <p>
+## Allow systemd-nspawn to create a labelled namespace with the same types
+## as parent environment
+## </p>
+## </desc>
+gen_tunable(systemd_nspawn_labeled_namespace, false)
+
 attribute systemd_log_parse_env_type;
 
 type systemd_activate_t;
@@ -57,6 +65,9 @@ type systemd_coredump_t;
 type systemd_coredump_exec_t;
 init_system_domain(systemd_coredump_t, systemd_coredump_exec_t)
 
+type systemd_coredump_var_lib_t;
+files_type(systemd_coredump_var_lib_t)
+
 type systemd_detect_virt_t;
 type systemd_detect_virt_exec_t;
 init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)
@@ -65,6 +76,10 @@ type systemd_hostnamed_t;
 type systemd_hostnamed_exec_t;
 init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
 
+type systemd_journal_t;
+files_type(systemd_journal_t)
+logging_log_file(systemd_journal_t)
+
 type systemd_locale_t;
 type systemd_locale_exec_t;
 init_system_domain(systemd_locale_t, systemd_locale_exec_t)
@@ -85,10 +100,21 @@ type systemd_machined_t;
 type systemd_machined_exec_t;
 init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)
 
+type systemd_machined_var_run_t;
+files_pid_file(systemd_machined_var_run_t)
+init_daemon_pid_file(systemd_machined_var_run_t, dir, "machines")
+
+type systemd_notify_t;
+type systemd_notify_exec_t;
+init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
+
 type systemd_nspawn_t;
 type systemd_nspawn_exec_t;
 init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
 
+type systemd_nspawn_var_run_t;
+files_pid_file(systemd_nspawn_var_run_t)
+
 type systemd_resolved_t;
 type systemd_resolved_exec_t;
 init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
@@ -108,6 +134,9 @@ type systemd_passwd_agent_t;
 type systemd_passwd_agent_exec_t;
 init_system_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
 
+type systemd_passwd_var_run_t;
+files_pid_file(systemd_passwd_var_run_t)
+
 type systemd_sessions_t;
 type systemd_sessions_exec_t;
 init_system_domain(systemd_sessions_t, systemd_sessions_exec_t)
@@ -152,6 +181,8 @@ logging_send_syslog_msg(systemd_log_parse_env_type)
 # Backlight local policy
 #
 
+allow systemd_backlight_t self:unix_dgram_socket { connect connected_socket_perms };
+
 allow systemd_backlight_t systemd_backlight_var_lib_t:dir manage_dir_perms;
 init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
 manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t)
@@ -161,8 +192,10 @@ systemd_log_parse_environment(systemd_backlight_t)
 # Allow systemd-backlight to write to /sys/class/backlight/*/brightness
 dev_rw_sysfs(systemd_backlight_t)
 
+# for udev.conf
 files_read_etc_files(systemd_backlight_t)
 
+# for /run/udev/data/+backlight*
 udev_read_pid_files(systemd_backlight_t)
 
 #######################################
@@ -292,6 +325,14 @@ optional_policy(`
 	dbus_connect_system_bus(systemd_logind_t)
 ')
 
+########################################
+#
+# Nspawn local policy
+#
+
+init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
+
+
 #########################################
 #
 # Resolved local policy
@@ -308,7 +349,6 @@ init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir)
 
 kernel_read_crypto_sysctls(systemd_resolved_t)
 kernel_read_kernel_sysctls(systemd_resolved_t)
-kernel_read_system_state(systemd_resolved_t)
 
 corenet_tcp_bind_generic_node(systemd_resolved_t)
 corenet_tcp_bind_llmnr_port(systemd_resolved_t)
@@ -343,6 +383,11 @@ systemd_log_parse_environment(systemd_sessions_t)
 allow systemd_tmpfiles_t self:capability  { chown dac_override fowner fsetid mknod };
 allow systemd_tmpfiles_t self:process { setfscreate getcap };
 
+manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
+manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
+allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto };
+allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
+
 kernel_read_kernel_sysctls(systemd_tmpfiles_t)
 
 dev_relabel_all_sysfs(systemd_tmpfiles_t)

diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index d4c92ccb..847b65bf 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -315,6 +315,26 @@ interface(`udev_pid_filetrans_db',`
 
 ########################################
 ## <summary>
+##      Allow process to relabelto udev database
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`udev_relabelto_db',`
+	gen_require(`
+		type udev_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 udev_var_run_t:file relabelto_file_perms;
+	allow $1 udev_var_run_t:lnk_file relabelto_file_perms;
+')
+
+########################################
+## <summary>
 ## 	Search through udev pid content
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index d6034f30..08057d3d 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.21.2)
+policy_module(udev, 1.21.3)
 
 ########################################
 #

diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 3bf66058..3f7f66a7 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -483,6 +483,25 @@ interface(`unconfined_stream_connect',`
 
 ########################################
 ## <summary>
+##      Do not audit attempts to read and write
+##      unconfined domain stream.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit.
+##      </summary>
+## </param>
+#
+interface(`unconfined_dontaudit_rw_stream_sockets',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to read or write
 ##	unconfined domain tcp sockets.
 ## </summary>

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index dc319d53..c1d4df8e 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,4 +1,4 @@
-policy_module(unconfined, 3.9.0)
+policy_module(unconfined, 3.9.1)
 
 ########################################
 #

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 45c0339f..0799c18c 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1137,6 +1137,10 @@ template(`userdom_unpriv_user_template', `
 	optional_policy(`
 		setroubleshoot_stream_connect($1_t)
 	')
+
+	optional_policy(`
+		systemd_dbus_chat_logind($1_t)
+	')
 ')
 
 #######################################
@@ -3276,6 +3280,35 @@ interface(`userdom_use_user_ptys',`
 
 ########################################
 ## <summary>
+##     Read and write a inherited user TTYs and PTYs.
+## </summary>
+## <desc>
+##     <p>
+##     Allow the specified domain to read and write inherited user
+##     TTYs and PTYs. This will allow the domain to
+##     interact with the user via the terminal. Typically
+##     all interactive applications will require this
+##     access.
+##     </p>
+## </desc>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`userdom_use_inherited_user_terminals',`
+	gen_require(`
+		type user_tty_device_t, user_devpts_t;
+	')
+
+	allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
+	allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
+')
+
+########################################
+## <summary>
 ##	Read and write a user TTYs and PTYs.
 ## </summary>
 ## <desc>
@@ -3718,6 +3751,25 @@ interface(`userdom_write_user_tmp_files',`
 
 ########################################
 ## <summary>
+##      Do not audit attempts to write users
+##      temporary files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit.
+##      </summary>
+## </param>
+#
+interface(`userdom_dontaudit_write_user_tmp_files',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	dontaudit $1 user_tmp_t:file write;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to use user ttys.
 ## </summary>
 ## <param name="domain">
@@ -4085,3 +4137,22 @@ interface(`userdom_relabel_user_certs',`
 	relabel_sock_files_pattern($1, user_cert_t, user_cert_t)
 	relabel_fifo_files_pattern($1, user_cert_t, user_cert_t)
 ')
+
+########################################
+## <summary>
+##     Do not audit attempts to read and write
+##     unserdomain stream.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`userdom_dontaudit_rw_all_users_stream_sockets',`
+	gen_require(`
+		attribute userdomain;
+	')
+
+	dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
+')

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index df3b9572..3d60070c 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.13.1)
+policy_module(userdomain, 4.13.2)
 
 ########################################
 #

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/kernel/

[Jason Zaman]

commit:     5b8acde37136f75ce5a52f1b6a0604d3f35dacc7
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Feb 24 01:03:23 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:22:23 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5b8acde3

Systemd fixes from Russell Coker.

 policy/modules/kernel/devices.if    |  37 +++++
 policy/modules/kernel/devices.te    |   6 +-
 policy/modules/kernel/files.if      | 127 +++++++++++++++
 policy/modules/kernel/files.te      |   6 +-
 policy/modules/system/authlogin.if  |   9 +
 policy/modules/system/authlogin.te  |   6 +-
 policy/modules/system/init.fc       |   2 +
 policy/modules/system/init.if       | 183 ++++++++++++++++++---
 policy/modules/system/init.te       | 317 +++++++++++++++++++++++++++++++++---
 policy/modules/system/logging.fc    |   5 +-
 policy/modules/system/logging.if    |  18 ++
 policy/modules/system/logging.te    |  36 +++-
 policy/modules/system/lvm.if        |  18 ++
 policy/modules/system/lvm.te        |   2 +-
 policy/modules/system/miscfiles.te  |   6 +-
 policy/modules/system/systemd.fc    |  11 +-
 policy/modules/system/systemd.if    | 122 +++++++++++++-
 policy/modules/system/systemd.te    |  49 +++++-
 policy/modules/system/udev.if       |  20 +++
 policy/modules/system/udev.te       |   2 +-
 policy/modules/system/unconfined.if |  19 +++
 policy/modules/system/unconfined.te |   2 +-
 policy/modules/system/userdomain.if |  71 ++++++++
 policy/modules/system/userdomain.te |   2 +-
 24 files changed, 1011 insertions(+), 65 deletions(-)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 08e2e8af..b51a25ac 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -154,6 +154,25 @@ interface(`dev_relabel_all_dev_nodes',`
 
 ########################################
 ## <summary>
+##     Allow full relabeling (to and from) of all device files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dev_relabel_all_dev_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	relabel_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
 ##	List all of the device nodes in a device directory.
 ## </summary>
 ## <param name="domain">
@@ -4206,6 +4225,24 @@ interface(`dev_rw_sysfs',`
 
 ########################################
 ## <summary>
+##     Relabel hardware state directories.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_relabel_sysfs_dirs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	relabel_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
 ##	Relabel from/to all sysfs types.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 66bc754e..470f0f00 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.20.2)
+policy_module(devices, 1.20.3)
 
 ########################################
 #
@@ -22,6 +22,10 @@ files_associate_tmp(device_t)
 fs_xattr_type(device_t)
 fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
 
+optional_policy(`
+	systemd_tmpfilesd_managed(device_t, fifo_file)
+')
+
 #
 # Type for /dev/agpgart
 #

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 6babfb90..0d6fe3c5 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6531,6 +6531,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
 
 ########################################
 ## <summary>
+##     manage all pidfile directories
+##     in the /var/run directory.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_manage_all_pid_dirs',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	manage_dirs_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
 ##	Read all process ID files.
 ## </summary>
 ## <param name="domain">
@@ -6553,6 +6572,42 @@ interface(`files_read_all_pids',`
 
 ########################################
 ## <summary>
+##     Execute generic programs in /var/run in the caller domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_exec_generic_pid_files',`
+	gen_require(`
+		type var_run_t;
+	')
+
+	exec_files_pattern($1, var_run_t, var_run_t)
+')
+
+########################################
+## <summary>
+##     Relable all pid files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_relabel_all_pid_files',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	relabel_files_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
 ##	Delete all process IDs.
 ## </summary>
 ## <param name="domain">
@@ -6579,6 +6634,78 @@ interface(`files_delete_all_pids',`
 
 ########################################
 ## <summary>
+##     Create all pid sockets
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_create_all_pid_sockets',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	allow $1 pidfile:sock_file create_sock_file_perms;
+')
+
+########################################
+## <summary>
+##     Create all pid named pipes
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_create_all_pid_pipes',`
+	gen_require(`
+		attribute pidfile;
+	')
+
+	allow $1 pidfile:fifo_file create_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##     Create all spool sockets
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_create_all_spool_sockets',`
+        gen_require(`
+                attribute spoolfile;
+        ')
+
+        allow $1 spoolfile:sock_file create_sock_file_perms;
+')
+
+########################################
+## <summary>
+##     Delete all spool sockets
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`files_delete_all_spool_sockets',`
+        gen_require(`
+                attribute spoolfile;
+        ')
+
+        allow $1 spoolfile:sock_file delete_sock_file_perms;
+')
+
+########################################
+## <summary>
 ##	Delete all process ID directories.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 7c861cc1..63ec6591 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.23.4)
+policy_module(files, 1.23.5)
 
 ########################################
 #
@@ -174,6 +174,10 @@ type var_run_t;
 files_pid_file(var_run_t)
 files_mountpoint(var_run_t)
 
+optional_policy(`
+	systemd_tmpfilesd_managed(var_run_t, lnk_file)
+')
+
 #
 # var_spool_t is the type of /var/spool
 #

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 55ce2bd2..5bac5fb3 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -162,9 +162,18 @@ interface(`auth_login_pgm_domain',`
 	seutil_read_config($1)
 	seutil_read_default_contexts($1)
 
+	userdom_search_user_runtime($1)
+	userdom_read_user_tmpfs_files($1)
+
 	tunable_policy(`allow_polyinstantiation',`
 		files_polyinstantiate_all($1)
 	')
+
+	optional_policy(`
+		systemd_read_logind_state($1)
+		systemd_write_inherited_logind_sessions_pipes($1)
+		systemd_use_passwd_agent_fds($1)
+	')
 ')
 
 ########################################

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index b4273689..43c83620 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,4 +1,4 @@
-policy_module(authlogin, 2.10.1)
+policy_module(authlogin, 2.10.2)
 
 ########################################
 #
@@ -85,6 +85,10 @@ files_type(var_auth_t)
 type wtmp_t;
 logging_log_file(wtmp_t)
 
+optional_policy(`
+	systemd_tmpfilesd_managed(faillog_t, file)
+')	systemd_tmpfilesd_managed(var_auth_t, dir)
+
 ########################################
 #
 # Check password local policy

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index fe085d15..b08e7a2a 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -57,7 +57,9 @@ ifdef(`distro_gentoo', `
 /run/runlevel\.dir		gen_context(system_u:object_r:initrc_var_run_t,s0)
 /run/random-seed	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 /run/setmixer_flag	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
+/run/sm-notify\.pid	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 /run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
+/run/wd_keepalive\.pid	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 
 ifdef(`distro_debian',`
 /run/hotkey-setup	--	gen_context(system_u:object_r:initrc_var_run_t,s0)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 4a36e12a..162ce266 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -209,7 +209,7 @@ interface(`init_ranged_domain',`
 #
 interface(`init_daemon_domain',`
 	gen_require(`
-		type initrc_t;
+		type init_t, initrc_t;
 		role system_r;
 		attribute daemon;
 	')
@@ -240,6 +240,8 @@ interface(`init_daemon_domain',`
 		init_domain($1, $2)
 		# this may be because of late labelling
 		kernel_dgram_send($1)
+
+		allow $1 init_t:unix_dgram_socket sendto;
 	')
 
 	optional_policy(`
@@ -400,8 +402,10 @@ interface(`init_system_domain',`
 	gen_require(`
 		type initrc_t;
 		role system_r;
+		attribute systemprocess;
 	')
 
+	typeattribute $1 systemprocess;
 	application_domain($1, $2)
 
 	role system_r types $1;
@@ -477,6 +481,24 @@ interface(`init_ranged_system_domain',`
 	')
 ')
 
+######################################
+## <summary>
+##	Allow domain dyntransition to init_t domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`init_dyntrans',`
+	gen_require(`
+		type init_t;
+	')
+
+	dyntrans_pattern($1, init_t)
+')
+
 ########################################
 ## <summary>
 ##	Mark the file type as a daemon pid file, allowing initrc_t
@@ -708,6 +730,7 @@ interface(`init_stream_connect',`
 
 	stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
 	files_search_pids($1)
+	allow $1 init_t:unix_stream_socket getattr;
 ')
 
 ########################################
@@ -1225,23 +1248,24 @@ interface(`init_write_initctl',`
 #
 interface(`init_telinit',`
 	gen_require(`
-		type initctl_t;
+		type initctl_t, init_t;
 	')
 
-	dev_list_all_dev_nodes($1)
+	ps_process_pattern($1, init_t)
+	allow $1 init_t:process signal;
+	# upstart uses a datagram socket instead of initctl pipe
+	allow $1 self:unix_dgram_socket create_socket_perms;
+	allow $1 init_t:unix_dgram_socket sendto;
+	#576913
+	allow $1 init_t:unix_stream_socket connectto;
+
 	allow $1 initctl_t:fifo_file rw_fifo_file_perms;
 
-	init_exec($1)
+	corecmd_exec_bin($1)
 
-	tunable_policy(`init_upstart',`
-		gen_require(`
-			type init_t;
-		')
+	dev_list_all_dev_nodes($1)
 
-		# upstart uses a datagram socket instead of initctl pipe
-		allow $1 self:unix_dgram_socket create_socket_perms;
-		allow $1 init_t:unix_dgram_socket sendto;
-	')
+	init_exec($1)
 ')
 
 ########################################
@@ -1370,6 +1394,37 @@ interface(`init_domtrans_script',`
 
 ########################################
 ## <summary>
+##	Execute labelled init scripts with an automatic domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`init_domtrans_labeled_script',`
+	gen_require(`
+		type initrc_t;
+		attribute init_script_file_type;
+		attribute initrc_transition_domain;
+	')
+
+	typeattribute $1 initrc_transition_domain;
+
+	files_list_etc($1)
+	domtrans_pattern($1, init_script_file_type, initrc_t)
+
+	ifdef(`enable_mcs',`
+		range_transition $1 init_script_file_type:process s0;
+	')
+
+	ifdef(`enable_mls',`
+		range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
+	')
+')
+
+########################################
+## <summary>
 ##	Execute a init script in a specified domain.
 ## </summary>
 ## <desc>
@@ -1440,8 +1495,10 @@ interface(`init_manage_script_service',`
 interface(`init_labeled_script_domtrans',`
 	gen_require(`
 		type initrc_t;
+		attribute initrc_transition_domain;
 	')
 
+	typeattribute $1 initrc_transition_domain;
 	domtrans_pattern($1, $2, initrc_t)
 	files_search_etc($1)
 ')
@@ -1574,6 +1631,7 @@ interface(`init_run_daemon',`
 interface(`init_startstop_all_script_services',`
 	gen_require(`
 		attribute init_script_file_type;
+		class service { start status stop };
 	')
 
 	allow $1 init_script_file_type:service { start status stop };
@@ -1789,12 +1847,7 @@ interface(`init_read_script_state',`
 	')
 
 	kernel_search_proc($1)
-	read_files_pattern($1, initrc_t, initrc_t)
-	read_lnk_files_pattern($1, initrc_t, initrc_t)
-	list_dirs_pattern($1, initrc_t, initrc_t)
-
-	# should move this to separate interface
-	allow $1 initrc_t:process getattr;
+	ps_process_pattern($1, initrc_t)
 ')
 
 ########################################
@@ -2378,7 +2431,7 @@ interface(`init_dontaudit_rw_utmp',`
 		type initrc_var_run_t;
 	')
 
-	dontaudit $1 initrc_var_run_t:file { getattr read write append lock };
+	dontaudit $1 initrc_var_run_t:file rw_file_perms;
 ')
 
 ########################################
@@ -2419,6 +2472,98 @@ interface(`init_pid_filetrans_utmp',`
 	files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
 ')
 
+#######################################
+## <summary>
+##	Create a directory in the /run/systemd directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_create_pid_dirs',`
+	gen_require(`
+		type init_var_run_t;
+	')
+
+	allow $1 init_var_run_t:dir list_dir_perms;
+	create_dirs_pattern($1, init_var_run_t, init_var_run_t)
+')
+
+########################################
+## <summary>
+##      Rename init_var_run_t files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      domain
+##      </summary>
+## </param>
+#
+interface(`init_rename_pid_files',`
+	gen_require(`
+		type init_var_run_t;
+	')
+
+	rename_files_pattern($1, init_var_run_t, init_var_run_t)
+')
+
+########################################
+## <summary>
+##      Rename and de init_var_run_t files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      domain
+##      </summary>
+## </param>
+#
+interface(`init_delete_pid_files',`
+	gen_require(`
+		type init_var_run_t;
+	')
+
+	delete_files_pattern($1, init_var_run_t, init_var_run_t)
+')
+
+#######################################
+## <summary>
+##  Allow the specified domain to write to
+##  init sock file.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`init_write_pid_socket',`
+    gen_require(`
+        type init_var_run_t;
+    ')
+
+    allow $1 init_var_run_t:sock_file write;
+')
+
+########################################
+## <summary>
+##	Read init unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_read_pid_pipes',`
+	gen_require(`
+		type init_var_run_t;
+	')
+
+	read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to connect to daemon with a tcp socket

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index a43bf19b..54ca2ceb 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.2.5)
+policy_module(init, 2.2.6)
 
 gen_require(`
 	class passwd rootok;
@@ -16,13 +16,22 @@ gen_require(`
 ## </desc>
 gen_tunable(init_upstart, false)
 
+## <desc>
+## <p>
+## Allow all daemons the ability to read/write terminals
+## </p>
+## </desc>
+gen_tunable(init_daemons_use_tty, false)
+
 attribute init_script_domain_type;
 attribute init_script_file_type;
 attribute init_run_all_scripts_domain;
 attribute systemdunit;
+attribute initrc_transition_domain;
 
 # Mark process types as daemons
 attribute daemon;
+attribute systemprocess;
 
 # Mark file type as a daemon pid file
 attribute daemonpidfile;
@@ -33,7 +42,7 @@ attribute daemonrundir;
 #
 # init_t is the domain of the init process.
 #
-type init_t;
+type init_t, initrc_transition_domain;
 type init_exec_t;
 domain_type(init_t)
 domain_entry_file(init_t, init_exec_t)
@@ -110,6 +119,7 @@ ifdef(`enable_mls',`
 
 # Use capabilities. old rule:
 allow init_t self:capability ~sys_module;
+allow init_t self:capability2 { wake_alarm block_suspend };
 # is ~sys_module really needed? observed:
 # sys_boot
 # sys_tty_config
@@ -128,6 +138,9 @@ allow init_t initrc_t:unix_stream_socket connectto;
 allow init_t init_var_run_t:file manage_file_perms;
 files_pid_filetrans(init_t, init_var_run_t, file)
 
+# for systemd to manage service file symlinks
+allow init_t init_var_run_t:file manage_lnk_file_perms;
+
 allow init_t initctl_t:fifo_file manage_fifo_file_perms;
 dev_filetrans(init_t, initctl_t, fifo_file)
 
@@ -147,6 +160,7 @@ dev_rw_generic_chr_files(init_t)
 
 domain_getpgid_all_domains(init_t)
 domain_kill_all_domains(init_t)
+domain_getattr_all_domains(init_t)
 domain_signal_all_domains(init_t)
 domain_signull_all_domains(init_t)
 domain_sigstop_all_domains(init_t)
@@ -199,6 +213,10 @@ ifdef(`init_systemd',`
 	# handle instances where an old labeled init script is encountered.
 	typeattribute init_t init_run_all_scripts_domain;
 
+	allow init_t systemprocess:process { dyntransition siginh };
+	allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
+	allow init_t systemprocess:unix_dgram_socket create_socket_perms;
+
 	allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setcap setrlimit };
 	allow init_t self:capability2 { audit_read block_suspend };
 	allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -206,6 +224,18 @@ ifdef(`init_systemd',`
 	allow init_t self:netlink_selinux_socket create_socket_perms;
 	allow init_t self:unix_dgram_socket lock;
 
+	allow init_t daemon:unix_stream_socket create_stream_socket_perms;
+	allow init_t daemon:unix_dgram_socket create_socket_perms;
+	allow init_t daemon:tcp_socket create_stream_socket_perms;
+	allow init_t daemon:udp_socket create_socket_perms;
+	allow daemon init_t:unix_dgram_socket sendto;
+
+	allow init_run_all_scripts_domain systemdunit:service { status start stop };
+
+	allow systemprocess init_t:unix_dgram_socket sendto;
+	allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl };
+
+	allow daemon init_t:unix_stream_socket { append write read getattr ioctl };
 	manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
 	manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
 	manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t)
@@ -269,6 +299,9 @@ ifdef(`init_systemd',`
 	# for network namespaces
 	fs_read_nsfs_files(init_t)
 
+	# need write to /var/run/systemd/notify
+	init_write_pid_socket(daemon)
+
 	# systemd_socket_activated policy
 	mls_socket_write_all_levels(init_t)
 
@@ -355,6 +388,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	udev_read_db(init_t)
+	udev_relabelto_db(init_t)
+')
+
+optional_policy(`
 	unconfined_domain(init_t)
 ')
 
@@ -403,11 +441,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
 
+allow initrc_t daemon:process siginh;
+
 can_exec(initrc_t, initrc_tmp_t)
 manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
 manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
 manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
 files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
+allow initrc_t initrc_tmp_t:dir relabelfrom;
 
 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
 manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
@@ -450,6 +491,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
 
 dev_read_rand(initrc_t)
 dev_read_urand(initrc_t)
+dev_dontaudit_read_kmsg(initrc_t)
 dev_write_kmsg(initrc_t)
 dev_write_rand(initrc_t)
 dev_write_urand(initrc_t)
@@ -460,8 +502,10 @@ dev_write_framebuffer(initrc_t)
 dev_read_realtime_clock(initrc_t)
 dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
+dev_setattr_generic_dirs(initrc_t)
 dev_setattr_all_chr_files(initrc_t)
 dev_rw_lvm_control(initrc_t)
+dev_rw_generic_chr_files(initrc_t)
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
@@ -469,17 +513,16 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
-# Early devtmpfs
-dev_rw_generic_chr_files(initrc_t)
+dev_rw_xserver_misc(initrc_t)
 
 domain_kill_all_domains(initrc_t)
 domain_signal_all_domains(initrc_t)
 domain_signull_all_domains(initrc_t)
 domain_sigstop_all_domains(initrc_t)
+domain_sigstop_all_domains(initrc_t)
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
-domain_dontaudit_ptrace_all_domains(initrc_t)
 domain_getsession_all_domains(initrc_t)
 domain_use_interactive_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
@@ -487,6 +530,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
 domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
 domain_dontaudit_getattr_all_pipes(initrc_t)
+domain_obj_id_change_exemption(initrc_t)
 
 files_getattr_all_dirs(initrc_t)
 files_getattr_all_files(initrc_t)
@@ -494,8 +538,10 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
-files_delete_all_locks(initrc_t)
+files_manage_all_locks(initrc_t)
+files_manage_boot_files(initrc_t)
 files_read_all_pids(initrc_t)
+files_delete_root_files(initrc_t)
 files_delete_all_pids(initrc_t)
 files_delete_all_pid_dirs(initrc_t)
 files_read_etc_files(initrc_t)
@@ -509,8 +555,12 @@ files_manage_generic_spool(initrc_t)
 # cjp: not sure why these are here; should use mount policy
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
+files_manage_mnt_dirs(initrc_t)
+files_manage_mnt_files(initrc_t)
 
-fs_write_cgroup_files(initrc_t)
+fs_delete_cgroup_dirs(initrc_t)
+fs_list_cgroup_dirs(initrc_t)
+fs_rw_cgroup_files(initrc_t)
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
@@ -520,9 +570,13 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
+fs_search_all(initrc_t)
+fs_getattr_nfsd_files(initrc_t)
 
 # initrc_t needs to do a pidof which requires ptrace
 mcs_ptrace_all(initrc_t)
+mcs_file_read_all(initrc_t)
+mcs_file_write_all(initrc_t)
 mcs_killall(initrc_t)
 mcs_process_set_categories(initrc_t)
 
@@ -532,6 +586,7 @@ mls_process_read_all_levels(initrc_t)
 mls_process_write_all_levels(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
+mls_socket_write_to_clearance(initrc_t)
 
 selinux_get_enforce_mode(initrc_t)
 
@@ -550,6 +605,11 @@ auth_delete_pam_pid(initrc_t)
 auth_delete_pam_console_data(initrc_t)
 auth_use_nsswitch(initrc_t)
 
+init_get_system_status(initrc_t)
+init_stream_connect(initrc_t)
+init_start_all_units(initrc_t)
+init_stop_all_units(initrc_t)
+
 libs_rw_ld_so_cache(initrc_t)
 libs_exec_lib_files(initrc_t)
 libs_exec_ld_so(initrc_t)
@@ -563,7 +623,7 @@ logging_read_audit_config(initrc_t)
 
 miscfiles_read_localization(initrc_t)
 # slapd needs to read cert files from its initscript
-miscfiles_read_generic_certs(initrc_t)
+miscfiles_manage_generic_cert_files(initrc_t)
 
 seutil_read_config(initrc_t)
 
@@ -571,7 +631,7 @@ userdom_read_user_home_content_files(initrc_t)
 # Allow access to the sysadm TTYs. Note that this will give access to the
 # TTYs to any process in the initrc_t domain. Therefore, daemons and such
 # started from init should be placed in their own domain.
-userdom_use_user_terminals(initrc_t)
+userdom_use_inherited_user_terminals(initrc_t)
 
 ifdef(`distro_debian',`
 	kernel_getattr_core_if(initrc_t)
@@ -643,6 +703,10 @@ ifdef(`distro_gentoo',`
 	sysnet_setattr_config(initrc_t)
 
 	optional_policy(`
+		abrt_manage_pid_files(initrc_t)
+	')
+
+	optional_policy(`
 		alsa_read_lib(initrc_t)
 	')
 
@@ -663,7 +727,7 @@ ifdef(`distro_redhat',`
 
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
-	kernel_dontaudit_use_fds(initrc_t)
+	kernel_use_fds(initrc_t)
 	files_dontaudit_read_root_files(initrc_t)
 
 	# These seem to be from the initrd
@@ -707,8 +771,25 @@ ifdef(`distro_redhat',`
 	')
 
 	optional_policy(`
+		abrt_manage_pid_files(initrc_t)
+	')
+
+	optional_policy(`
 		bind_manage_config_dirs(initrc_t)
 		bind_write_config(initrc_t)
+		bind_setattr_zone_dirs(initrc_t)
+	')
+
+	optional_policy(`
+		devicekit_append_inherited_log_files(initrc_t)
+	')
+
+	optional_policy(`
+		gnome_manage_gconf_config(initrc_t)
+	')
+
+	optional_policy(`
+		pulseaudio_stream_connect(initrc_t)
 	')
 
 	optional_policy(`
@@ -716,6 +797,9 @@ ifdef(`distro_redhat',`
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
+	optional_policy(`
+		rpcbind_stream_connect(initrc_t)
+	')
 
 	optional_policy(`
 		sysnet_rw_dhcp_config(initrc_t)
@@ -734,7 +818,32 @@ ifdef(`distro_suse',`
 	')
 ')
 
+ifdef(`enabled_mls',`
+	optional_policy(`
+		# allow init scripts to su
+		su_restricted_domain_template(initrc, initrc_t, system_r)
+		# Allow initrc_su_t, now defined, to transition to postgresql_t
+		postgresql_domtrans(initrc_su_t)
+		# Allow initrc_su_t to use the initrc_devpts_t (needed for init script failure output)
+		allow initrc_su_t initrc_devpts_t:chr_file { read write };
+	')
+')
+
 ifdef(`init_systemd',`
+	allow init_t self:system { status reboot halt reload };
+
+	allow init_t self:unix_dgram_socket { create_socket_perms sendto };
+	allow init_t self:process { setsockcreate setfscreate setrlimit };
+	allow init_t self:process { getcap setcap };
+	allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
+	allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
+	# Until systemd is fixed
+	allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
+	allow init_t self:udp_socket create_socket_perms;
+	allow init_t self:netlink_route_socket create_netlink_socket_perms;
+	allow init_t initrc_t:unix_dgram_socket create_socket_perms;
+	allow initrc_t init_t:system { status reboot halt reload };
+	allow init_t self:capability2 audit_read;
 	manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)
 	files_lock_filetrans(initrc_t, initrc_lock_t, file)
 
@@ -746,11 +855,25 @@ ifdef(`init_systemd',`
 	files_pid_filetrans(initrc_t, initrc_var_run_t, dir_file_class_set)
 
 	create_dirs_pattern(initrc_t, systemd_unit_t, systemd_unit_t)
+	allow initrc_t systemd_unit_t:service reload;
 
 	manage_files_pattern(initrc_t, systemdunit, systemdunit)
 	manage_lnk_files_pattern(initrc_t, systemdunit, systemdunit)
+	allow initrc_t systemdunit:service reload;
+	allow initrc_t init_script_file_type:service { stop start status reload };
 
 	kernel_dgram_send(initrc_t)
+	kernel_list_unlabeled(init_t)
+	kernel_read_network_state(init_t)
+	kernel_rw_kernel_sysctl(init_t)
+	kernel_rw_net_sysctls(init_t)
+	kernel_read_all_sysctls(init_t)
+	kernel_read_software_raid_state(init_t)
+	kernel_unmount_debugfs(init_t)
+	kernel_setsched(init_t)
+
+	auth_relabel_login_records(init_t)
+	auth_relabel_pam_console_data_dirs(init_t)
 
 	# run systemd misc initializations
 	# in the initrc_t domain, as would be
@@ -760,28 +883,83 @@ ifdef(`init_systemd',`
 	corecmd_bin_domtrans(init_t, initrc_t)
 	corecmd_shell_domtrans(init_t, initrc_t)
 
-	files_read_boot_files(initrc_t)
+	dev_write_kmsg(init_t)
+	dev_write_urand(init_t)
+	dev_rw_lvm_control(init_t)
+	dev_rw_autofs(init_t)
+	dev_manage_generic_symlinks(init_t)
+	dev_manage_generic_dirs(init_t)
+	dev_manage_generic_files(init_t)
+	dev_manage_null_service(initrc_t)
+	dev_read_generic_chr_files(init_t)
+	dev_relabel_generic_dev_dirs(init_t)
+	dev_relabel_all_dev_nodes(init_t)
+	dev_relabel_all_dev_files(init_t)
+	dev_manage_sysfs_dirs(init_t)
+	dev_relabel_sysfs_dirs(init_t)
+	# systemd writes to /dev/watchdog on shutdown
+	dev_write_watchdog(init_t)
+
 	# Allow initrc_t to check /etc/fstab "service." It appears that
 	# systemd is conflating files and services.
+	files_create_all_pid_pipes(init_t)
+	files_create_all_pid_sockets(init_t)
+	files_create_all_spool_sockets(init_t)
+	files_create_lock_dirs(init_t)
+	files_delete_all_pids(init_t)
+	files_delete_all_spool_sockets(init_t)
+	files_exec_generic_pid_files(init_t)
 	files_get_etc_unit_status(initrc_t)
+	files_list_locks(init_t)
+	files_list_spool(init_t)
+	files_list_var(init_t)
+	files_manage_all_pid_dirs(init_t)
+	files_manage_generic_tmp_dirs(init_t)
+	files_manage_urandom_seed(init_t)
+	files_mounton_all_mountpoints(init_t)
+	files_read_boot_files(initrc_t)
+	files_relabel_all_lock_dirs(init_t)
+	files_relabel_all_pid_dirs(init_t)
+	files_relabel_all_pid_files(init_t)
+	files_search_all(init_t)
 	files_setattr_pid_dirs(initrc_t)
+	files_unmount_all_file_type_fs(init_t)
 
-	selinux_set_enforce_mode(initrc_t)
+	fs_getattr_all_fs(init_t)
+	fs_list_auto_mountpoints(init_t)
+	fs_manage_cgroup_dirs(init_t)
+	fs_manage_cgroup_files(init_t)
+	fs_manage_hugetlbfs_dirs(init_t)
+	fs_manage_tmpfs_dirs(init_t)
+	fs_mount_all_fs(init_t)
+	fs_remount_all_fs(init_t)
+	fs_unmount_all_fs(init_t)
+	fs_search_cgroup_dirs(daemon)
 
-	init_stream_connect(initrc_t)
+	init_get_all_units_status(initrc_t)
 	init_manage_var_lib_files(initrc_t)
+	init_read_script_state(init_t)
 	init_rw_stream_sockets(initrc_t)
-	init_get_all_units_status(initrc_t)
 	init_stop_all_units(initrc_t)
+	init_stream_connect(initrc_t)
 
 	# Create /etc/audit.rules.prev after firstboot remediation
 	logging_manage_audit_config(initrc_t)
 
+	selinux_compute_create_context(init_t)
+	selinux_set_enforce_mode(initrc_t)
+	selinux_unmount_fs(init_t)
+	selinux_validate_context(init_t)
 	# lvm2-activation-generator checks file labels
 	seutil_read_file_contexts(initrc_t)
+	seutil_read_file_contexts(init_t)
 
+	storage_getattr_removable_dev(init_t)
+	systemd_manage_all_units(init_t)
 	systemd_start_power_units(initrc_t)
 
+	term_relabel_pty_dirs(init_t)
+
 	optional_policy(`
 		# create /var/lock/lvm/
 		lvm_create_lock_dirs(initrc_t)
@@ -800,6 +978,8 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
+	# webmin seems to cause this.
+	apache_search_sys_content(daemon)
 ')
 
 optional_policy(`
@@ -821,6 +1001,7 @@ optional_policy(`
 
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
+	domain_setpriority_all_domains(initrc_t)
 ')
 
 optional_policy(`
@@ -837,6 +1018,12 @@ optional_policy(`
 ')
 
 optional_policy(`
+	cron_read_pipes(initrc_t)
+	# managing /etc/cron.d/mailman content
+	cron_manage_system_spool(initrc_t)
+')
+
+optional_policy(`
 	dev_getattr_printer_dev(initrc_t)
 
 	cups_read_log(initrc_t)
@@ -853,9 +1040,13 @@ optional_policy(`
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
+	dbus_manage_lib_files(initrc_t)
+
+	init_dbus_chat(initrc_t)
 
 	optional_policy(`
 		consolekit_dbus_chat(initrc_t)
+		consolekit_manage_log(initrc_t)
 	')
 
 	optional_policy(`
@@ -897,6 +1088,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	modutils_read_module_config(initrc_t)
+	modutils_domtrans_insmod(initrc_t)
+')
+
+optional_policy(`
 	inn_exec_config(initrc_t)
 ')
 
@@ -937,6 +1133,7 @@ optional_policy(`
 	lpd_list_spool(initrc_t)
 
 	lpd_read_config(initrc_t)
+	lpd_manage_spool(init_t)
 ')
 
 optional_policy(`
@@ -960,6 +1157,7 @@ optional_policy(`
 
 optional_policy(`
 	mta_read_config(initrc_t)
+	mta_write_config(initrc_t)
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
 
@@ -982,6 +1180,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	plymouthd_stream_connect(initrc_t)
+')
+
+optional_policy(`
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
@@ -1024,8 +1226,6 @@ optional_policy(`
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
 
-	# why is this needed:
-	rpm_manage_db(initrc_t)
 ')
 
 optional_policy(`
@@ -1044,15 +1244,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	# allow init scripts to su
-	su_restricted_domain_template(initrc, initrc_t, system_r)
-	# Allow initrc_su_t, now defined, to transition to postgresql_t
-	postgresql_domtrans(initrc_su_t)
-	# Allow initrc_su_t to use the initrc_devpts_t (needed for init script failure output)
-	allow initrc_su_t initrc_devpts_t:chr_file { read write };
-')
-
-optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
 	ssh_setattr_key_files(initrc_t)
 ')
@@ -1066,7 +1257,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	udev_rw_db(initrc_t)
 	udev_manage_pid_files(initrc_t)
 	udev_manage_pid_dirs(initrc_t)
 	udev_manage_rules_files(initrc_t)
@@ -1082,6 +1272,12 @@ optional_policy(`
 ')
 
 optional_policy(`
+	domain_role_change_exemption(initrc_t)
+
+	mcs_file_read_all(initrc_t)
+	mcs_file_write_all(initrc_t)
+	mcs_killall(initrc_t)
+
 	unconfined_domain(initrc_t)
 
 	ifdef(`distro_redhat',`
@@ -1092,6 +1288,15 @@ optional_policy(`
 	optional_policy(`
 		mono_domtrans(initrc_t)
 	')
+
+	optional_policy(`
+		rtkit_scheduled(initrc_t)
+	')
+')
+
+optional_policy(`
+	rpm_read_db(initrc_t)
+	rpm_delete_db(initrc_t)
 ')
 
 optional_policy(`
@@ -1178,3 +1383,63 @@ ifdef(`distro_gentoo',`
 		udev_pid_filetrans_rules(initrc_t, dir, "rules.d")
 	')
 ')
+
+########################################
+#
+# Rules applied to all daemons
+#
+
+domain_dontaudit_use_interactive_fds(daemon)
+
+# daemons started from init will
+# inherit fds from init for the console
+term_dontaudit_use_console(daemon)
+
+init_dontaudit_use_fds(daemon)
+# init script ptys are the stdin/out/err
+# when using run_init
+init_use_script_ptys(daemon)
+
+tunable_policy(`init_daemons_use_tty',`
+	term_use_unallocated_ttys(daemon)
+	term_use_generic_ptys(daemon)
+	term_use_all_ttys(daemon)
+	term_use_all_ptys(daemon)
+',`
+	term_dontaudit_use_unallocated_ttys(daemon)
+	term_dontaudit_use_generic_ptys(daemon)
+	term_dontaudit_use_all_ttys(daemon)
+	term_dontaudit_use_all_ptys(daemon)
+ ')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_dontaudit_rw_nfs_files(daemon)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_dontaudit_rw_cifs_files(daemon)
+')
+
+optional_policy(`
+	unconfined_dontaudit_rw_pipes(daemon)
+	unconfined_dontaudit_rw_stream_sockets(daemon)
+')
+
+optional_policy(`
+	userdom_dontaudit_rw_all_users_stream_sockets(daemon)
+	userdom_dontaudit_read_user_tmp_files(daemon)
+	userdom_dontaudit_write_user_tmp_files(daemon)
+')
+
+########################################
+#
+# Rules applied to all system processes
+#
+
+dontaudit systemprocess init_t:unix_stream_socket getattr;
+
+optional_policy(`
+	userdom_dontaudit_search_user_home_dirs(systemprocess)
+	userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
+	userdom_dontaudit_write_user_tmp_files(systemprocess)
+')

diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 6258954a..b7098cd5 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -8,8 +8,9 @@
 
 /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
 /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
-/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
 /usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
+/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/usr/lib/systemd/systemd-kmsg-syslogd	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 
 /usr/sbin/audispd	--	gen_context(system_u:object_r:audisp_exec_t,s0)
 /usr/sbin/audisp-remote	--	gen_context(system_u:object_r:audisp_remote_exec_t,s0)
@@ -54,6 +55,8 @@ ifdef(`distro_redhat',`
 /var/named/chroot/dev/log -s	gen_context(system_u:object_r:devlog_t,s0)
 ')
 
+/var/run/systemd/journal/stdout -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+
 /run/audit_events	-s	gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
 /run/audispd_events	-s	gen_context(system_u:object_r:audisp_var_run_t,mls_systemhigh)
 /run/auditd\.pid	--	gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)

diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index ba463497..102c4319 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -841,6 +841,24 @@ interface(`logging_append_all_logs',`
 
 ########################################
 ## <summary>
+##      Append to all log files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`logging_append_all_inherited_logs',`
+	gen_require(`
+		attribute logfile;
+	')
+
+	allow $1 logfile:file { getattr append ioctl lock };
+')
+
+########################################
+## <summary>
 ##	Read all log files.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 10d2fc9f..9a6c714a 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.25.2)
+policy_module(logging, 1.25.3)
 
 ########################################
 #
@@ -396,6 +396,7 @@ allow syslogd_t syslog_conf_t:file read_file_perms;
 # Create and bind to /dev/log or /var/run/log.
 allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
 files_pid_filetrans(syslogd_t, devlog_t, sock_file)
+init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")
 
 # create/append log files.
 manage_files_pattern(syslogd_t, var_log_t, var_log_t)
@@ -405,6 +406,9 @@ files_search_spool(syslogd_t)
 # Allow access for syslog-ng
 allow syslogd_t var_log_t:dir { create setattr };
 
+# for systemd but can not be conditional
+files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log")
+
 # manage temporary files
 manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
 manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
@@ -416,6 +420,7 @@ files_search_var_lib(syslogd_t)
 # manage pid file
 manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
 files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
+allow syslogd_t syslogd_var_run_t:dir create_dir_perms;
 
 kernel_read_system_state(syslogd_t)
 kernel_read_network_state(syslogd_t)
@@ -499,22 +504,41 @@ logging_send_syslog_msg(syslogd_t)
 
 miscfiles_read_localization(syslogd_t)
 
+seutil_read_config(syslogd_t)
+
 userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
 userdom_dontaudit_search_user_home_dirs(syslogd_t)
 
 ifdef(`init_systemd',`
-	# systemd-journald permissions
-
-	allow syslogd_t self:capability { chown setgid setuid };
+	# for systemd-journal
+	allow syslogd_t self:netlink_audit_socket connected_socket_perms;
+	allow syslogd_t self:capability2 audit_read;
+	allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
 	allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write };
+	allow syslogd_t init_var_run_t:file { read write create open };
+	allow syslogd_t var_run_t:dir create;
 
-	kernel_use_fds(syslogd_t)
 	kernel_getattr_dgram_sockets(syslogd_t)
-	kernel_rw_unix_dgram_sockets(syslogd_t)
+	kernel_read_ring_buffer(syslogd_t)
 	kernel_rw_stream_sockets(syslogd_t)
+	kernel_rw_unix_dgram_sockets(syslogd_t)
+	kernel_use_fds(syslogd_t)
+
+	dev_read_kmsg(syslogd_t)
+	dev_read_urand(syslogd_t)
+	dev_write_kmsg(syslogd_t)
 
+	domain_read_all_domains_state(syslogd_t)
+
+	init_create_pid_dirs(syslogd_t)
 	init_daemon_pid_file(syslogd_var_run_t, dir, "syslogd")
+	init_rename_pid_files(syslogd_t)
+	init_delete_pid_files(syslogd_t)
 	init_dgram_send(syslogd_t)
+	init_read_pid_pipes(syslogd_t)
+	init_read_state(syslogd_t)
+
+	systemd_manage_journal_files(syslogd_t)
 
 	udev_read_pid_files(syslogd_t)
 ')

diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index 5774034f..88fa9442 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -125,6 +125,24 @@ interface(`lvm_create_lock_dirs',`
 	files_add_entry_lock_dirs($1)
 ')
 
+########################################
+## <summary>
+##      Read and write a lvm unnamed pipe.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`lvm_rw_inherited_pid_pipes',`
+	gen_require(`
+		type lvm_var_run_t;
+	')
+
+	allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
 ######################################
 ## <summary>
 ##	Execute a domain transition to run clvmd.

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 58e03ff2..f8fed91d 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -1,4 +1,4 @@
-policy_module(lvm, 1.19.2)
+policy_module(lvm, 1.19.3)
 
 ########################################
 #

diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index 85a29e3d..ec4d8dc0 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -1,4 +1,4 @@
-policy_module(miscfiles, 1.12.0)
+policy_module(miscfiles, 1.12.1)
 
 ########################################
 #
@@ -41,6 +41,10 @@ files_type(locale_t)
 type man_t alias catman_t;
 files_type(man_t)
 
+optional_policy(`
+	systemd_tmpfilesd_managed(man_t, dir)
+')
+
 type man_cache_t;
 files_type(man_cache_t)
 

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 6eb0a5a3..2264336d 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -7,6 +7,7 @@
 /usr/bin/systemd-stdio-bridge		--	gen_context(system_u:object_r:systemd_stdio_bridge_exec_t,s0)
 /usr/bin/systemd-tmpfiles		--	gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
 /usr/bin/systemd-tty-ask-password-agent	--	gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
+/usr/bin/systemd-notify			--	gen_context(system_u:object_r:systemd_notify_exec_t,s0)
 
 /usr/lib/systemd/systemd-activate	--	gen_context(system_u:object_r:systemd_activate_exec_t,s0)
 /usr/lib/systemd/systemd-backlight	--	gen_context(system_u:object_r:systemd_backlight_exec_t,s0)
@@ -32,15 +33,21 @@
 /usr/lib/systemd/system/systemd-binfmt.*	--	gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
 
 /var/lib/systemd/backlight(/.*)?	gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
+/var/lib/systemd/coredump(/.*)?	gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
 /var/lib/systemd/linger(/.*)?	gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
 
 /run/\.nologin[^/]*	--	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
 /run/nologin	--	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
 
 /run/systemd/resolve(/.*)?  gen_context(system_u:object_r:systemd_resolved_var_run_t,s0)
-/run/systemd/seats(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
-/run/systemd/sessions(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/run/systemd/seats(/.*)?	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
+/run/systemd/sessions(/.*)?	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
 /run/systemd/transient(/.*)?	gen_context(system_u:object_r:systemd_unit_t,s0)
 /run/systemd/users(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
 /run/systemd/inhibit(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/run/systemd/nspawn(/.*)?	gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
+/run/systemd/machines(/.*)?	gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
 /run/tmpfiles\.d/kmod.conf	gen_context(system_u:object_r:systemd_kmod_conf_t,s0)
+
+/var/log/journal(/.*)?		gen_context(system_u:object_r:systemd_journal_t,s0)
+/var/run/log/journal(/.*)?	gen_context(system_u:object_r:systemd_journal_t,s0)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index b07d2c5b..69ee084f 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -35,7 +35,8 @@ interface(`systemd_read_logind_pids',`
 	')
 
 	files_search_pids($1)
-	read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
+	allow $1 systemd_logind_var_run_t:dir list_dir_perms;
+	allow $1 systemd_logind_var_run_t:file read_file_perms;
 ')
 
 ######################################
@@ -76,6 +77,26 @@ interface(`systemd_use_logind_fds',`
 	allow $1 systemd_logind_t:fd use;
 ')
 
+######################################
+## <summary>
+##      Write inherited logind sessions pipes.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_write_inherited_logind_sessions_pipes',`
+	gen_require(`
+		type systemd_logind_t, systemd_sessions_var_run_t;
+	')
+
+	allow $1 systemd_logind_t:fd use;
+	allow $1 systemd_sessions_var_run_t:fifo_file write;
+	allow systemd_logind_t $1:process signal;
+')
+
 ########################################
 ## <summary>
 ##   Send and receive messages from
@@ -116,6 +137,29 @@ interface(`systemd_write_kmod_files',`
 	write_files_pattern($1, var_run_t, systemd_kmod_conf_t)
 ')
 
+#######################################
+## <summary>
+##  Allow systemd_tmpfiles_t to manage filesystem objects
+## </summary>
+## <param name="type">
+## <summary>
+##  type of object to manage
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+##  object class to manage
+## </summary>
+## </param>
+#
+interface(`systemd_tmpfilesd_managed',`
+	gen_require(`
+		type systemd_tmpfiles_t;
+	')
+
+	allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
+')
+
 ########################################
 ## <summary>
 ##   Allow process to relabel to systemd_kmod_conf_t.
@@ -137,6 +181,82 @@ interface(`systemd_relabelto_kmod_files',`
 
 ########################################
 ## <summary>
+##      allow systemd_passwd_agent to inherit fds
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain that owns the fds
+##      </summary>
+## </param>
+#
+interface(`systemd_use_passwd_agent_fds',`
+	gen_require(`
+		type systemd_passwd_agent_t;
+	')
+
+	allow systemd_passwd_agent_t $1:fd use;
+')
+
+########################################
+## <summary>
+##      Transition to systemd_passwd_var_run_t when creating dirs
+## </summary>
+## <param name="domain">
+##      <summary>
+##	Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_filetrans_passwd_runtime_dirs',`
+	gen_require(`
+		type systemd_passwd_var_run_t;
+	')
+
+	init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block")
+	init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password")
+')
+
+########################################
+## <summary>
+##      manage systemd unit dirs and the files in them
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_manage_all_units',`
+	gen_require(`
+		attribute systemdunit;
+	')
+
+	manage_dirs_pattern($1, systemdunit, systemdunit)
+	manage_files_pattern($1, systemdunit, systemdunit)
+	manage_lnk_files_pattern($1, systemdunit, systemdunit)
+')
+
+########################################
+## <summary>
+##      Allow domain to create/manage systemd_journal_t files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_manage_journal_files',`
+	gen_require(`
+		type systemd_logind_t;
+	')
+
+	manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
+	manage_files_pattern($1, systemd_journal_t, systemd_journal_t)
+')
+
+########################################
+## <summary>
 ##     Allow systemd_logind_t to read process state for cgroup file
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 904c777a..19e6947a 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.3.5)
+policy_module(systemd, 1.3.6)
 
 #########################################
 #
@@ -12,6 +12,14 @@ policy_module(systemd, 1.3.5)
 ## </desc>
 gen_tunable(systemd_tmpfiles_manage_all, false)
 
+## <desc>
+## <p>
+## Allow systemd-nspawn to create a labelled namespace with the same types
+## as parent environment
+## </p>
+## </desc>
+gen_tunable(systemd_nspawn_labeled_namespace, false)
+
 attribute systemd_log_parse_env_type;
 
 type systemd_activate_t;
@@ -57,6 +65,9 @@ type systemd_coredump_t;
 type systemd_coredump_exec_t;
 init_system_domain(systemd_coredump_t, systemd_coredump_exec_t)
 
+type systemd_coredump_var_lib_t;
+files_type(systemd_coredump_var_lib_t)
+
 type systemd_detect_virt_t;
 type systemd_detect_virt_exec_t;
 init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)
@@ -65,6 +76,10 @@ type systemd_hostnamed_t;
 type systemd_hostnamed_exec_t;
 init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
 
+type systemd_journal_t;
+files_type(systemd_journal_t)
+logging_log_file(systemd_journal_t)
+
 type systemd_locale_t;
 type systemd_locale_exec_t;
 init_system_domain(systemd_locale_t, systemd_locale_exec_t)
@@ -85,10 +100,21 @@ type systemd_machined_t;
 type systemd_machined_exec_t;
 init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)
 
+type systemd_machined_var_run_t;
+files_pid_file(systemd_machined_var_run_t)
+init_daemon_pid_file(systemd_machined_var_run_t, dir, "machines")
+
+type systemd_notify_t;
+type systemd_notify_exec_t;
+init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
+
 type systemd_nspawn_t;
 type systemd_nspawn_exec_t;
 init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
 
+type systemd_nspawn_var_run_t;
+files_pid_file(systemd_nspawn_var_run_t)
+
 type systemd_resolved_t;
 type systemd_resolved_exec_t;
 init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
@@ -108,6 +134,9 @@ type systemd_passwd_agent_t;
 type systemd_passwd_agent_exec_t;
 init_system_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
 
+type systemd_passwd_var_run_t;
+files_pid_file(systemd_passwd_var_run_t)
+
 type systemd_sessions_t;
 type systemd_sessions_exec_t;
 init_system_domain(systemd_sessions_t, systemd_sessions_exec_t)
@@ -152,6 +181,8 @@ logging_send_syslog_msg(systemd_log_parse_env_type)
 # Backlight local policy
 #
 
+allow systemd_backlight_t self:unix_dgram_socket { connect connected_socket_perms };
+
 allow systemd_backlight_t systemd_backlight_var_lib_t:dir manage_dir_perms;
 init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
 manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t)
@@ -161,8 +192,10 @@ systemd_log_parse_environment(systemd_backlight_t)
 # Allow systemd-backlight to write to /sys/class/backlight/*/brightness
 dev_rw_sysfs(systemd_backlight_t)
 
+# for udev.conf
 files_read_etc_files(systemd_backlight_t)
 
+# for /run/udev/data/+backlight*
 udev_read_pid_files(systemd_backlight_t)
 
 #######################################
@@ -292,6 +325,14 @@ optional_policy(`
 	dbus_connect_system_bus(systemd_logind_t)
 ')
 
+########################################
+#
+# Nspawn local policy
+#
+
+init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
+
+
 #########################################
 #
 # Resolved local policy
@@ -308,7 +349,6 @@ init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir)
 
 kernel_read_crypto_sysctls(systemd_resolved_t)
 kernel_read_kernel_sysctls(systemd_resolved_t)
-kernel_read_system_state(systemd_resolved_t)
 
 corenet_tcp_bind_generic_node(systemd_resolved_t)
 corenet_tcp_bind_llmnr_port(systemd_resolved_t)
@@ -343,6 +383,11 @@ systemd_log_parse_environment(systemd_sessions_t)
 allow systemd_tmpfiles_t self:capability  { chown dac_override fowner fsetid mknod };
 allow systemd_tmpfiles_t self:process { setfscreate getcap };
 
+manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
+manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
+allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto };
+allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
+
 kernel_read_kernel_sysctls(systemd_tmpfiles_t)
 
 dev_relabel_all_sysfs(systemd_tmpfiles_t)

diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index d4c92ccb..847b65bf 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -315,6 +315,26 @@ interface(`udev_pid_filetrans_db',`
 
 ########################################
 ## <summary>
+##      Allow process to relabelto udev database
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`udev_relabelto_db',`
+	gen_require(`
+		type udev_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 udev_var_run_t:file relabelto_file_perms;
+	allow $1 udev_var_run_t:lnk_file relabelto_file_perms;
+')
+
+########################################
+## <summary>
 ## 	Search through udev pid content
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index d6034f30..08057d3d 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.21.2)
+policy_module(udev, 1.21.3)
 
 ########################################
 #

diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 3bf66058..3f7f66a7 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -483,6 +483,25 @@ interface(`unconfined_stream_connect',`
 
 ########################################
 ## <summary>
+##      Do not audit attempts to read and write
+##      unconfined domain stream.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit.
+##      </summary>
+## </param>
+#
+interface(`unconfined_dontaudit_rw_stream_sockets',`
+	gen_require(`
+		type unconfined_t;
+	')
+
+	dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to read or write
 ##	unconfined domain tcp sockets.
 ## </summary>

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index dc319d53..c1d4df8e 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,4 +1,4 @@
-policy_module(unconfined, 3.9.0)
+policy_module(unconfined, 3.9.1)
 
 ########################################
 #

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 45c0339f..0799c18c 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1137,6 +1137,10 @@ template(`userdom_unpriv_user_template', `
 	optional_policy(`
 		setroubleshoot_stream_connect($1_t)
 	')
+
+	optional_policy(`
+		systemd_dbus_chat_logind($1_t)
+	')
 ')
 
 #######################################
@@ -3276,6 +3280,35 @@ interface(`userdom_use_user_ptys',`
 
 ########################################
 ## <summary>
+##     Read and write a inherited user TTYs and PTYs.
+## </summary>
+## <desc>
+##     <p>
+##     Allow the specified domain to read and write inherited user
+##     TTYs and PTYs. This will allow the domain to
+##     interact with the user via the terminal. Typically
+##     all interactive applications will require this
+##     access.
+##     </p>
+## </desc>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`userdom_use_inherited_user_terminals',`
+	gen_require(`
+		type user_tty_device_t, user_devpts_t;
+	')
+
+	allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
+	allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
+')
+
+########################################
+## <summary>
 ##	Read and write a user TTYs and PTYs.
 ## </summary>
 ## <desc>
@@ -3718,6 +3751,25 @@ interface(`userdom_write_user_tmp_files',`
 
 ########################################
 ## <summary>
+##      Do not audit attempts to write users
+##      temporary files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit.
+##      </summary>
+## </param>
+#
+interface(`userdom_dontaudit_write_user_tmp_files',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	dontaudit $1 user_tmp_t:file write;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to use user ttys.
 ## </summary>
 ## <param name="domain">
@@ -4085,3 +4137,22 @@ interface(`userdom_relabel_user_certs',`
 	relabel_sock_files_pattern($1, user_cert_t, user_cert_t)
 	relabel_fifo_files_pattern($1, user_cert_t, user_cert_t)
 ')
+
+########################################
+## <summary>
+##     Do not audit attempts to read and write
+##     unserdomain stream.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`userdom_dontaudit_rw_all_users_stream_sockets',`
+	gen_require(`
+		attribute userdomain;
+	')
+
+	dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
+')

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index df3b9572..3d60070c 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.13.1)
+policy_module(userdomain, 4.13.2)
 
 ########################################
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Sven Vermeulen]

commit:     5e3aa97329b87e61b7b4b763f90cb795bc45cc74
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu May 11 23:54:25 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 17:00:48 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5e3aa973

Module version bump for changes from Jason Zaman and Luis Ressel.

 policy/modules/kernel/corecommands.te | 2 +-
 policy/modules/system/libraries.te    | 2 +-
 policy/modules/system/selinuxutil.te  | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index 4cd6873a..1ee2a9e3 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,4 +1,4 @@
-policy_module(corecommands, 1.23.9)
+policy_module(corecommands, 1.23.10)
 
 ########################################
 #

diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 3245a5e5..1bee4fa0 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -1,4 +1,4 @@
-policy_module(libraries, 2.14.3)
+policy_module(libraries, 2.14.4)
 
 ########################################
 #

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 487bceca..e61d4209 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,4 +1,4 @@
-policy_module(selinuxutil, 1.22.10)
+policy_module(selinuxutil, 1.22.11)
 
 gen_require(`
 	bool secure_mode;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit:     94e5bdcfc5d1a49605d019ff465dd9f56bd9686d
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Dec 13 23:29:26 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 14 04:55:22 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=94e5bdcf

storage, userdomain: Module version bump.

 policy/modules/kernel/storage.te    | 2 +-
 policy/modules/system/userdomain.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te
index eb9b5b8d..d2a49c97 100644
--- a/policy/modules/kernel/storage.te
+++ b/policy/modules/kernel/storage.te
@@ -1,4 +1,4 @@
-policy_module(storage, 1.15.0)
+policy_module(storage, 1.15.1)
 
 ########################################
 #

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index a3a1802e..3db9b0c2 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.14.9)
+policy_module(userdomain, 4.14.10)
 
 ########################################
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit:     18b85ee49eaccaf5c2765a65234661513555c5f6
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb  8 14:35:13 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 15 07:32:05 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=18b85ee4

systemd, devices: Module version bump.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/kernel/devices.te | 2 +-
 policy/modules/system/systemd.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 70cbc49e..05c087bc 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.25.7)
+policy_module(devices, 1.25.8)
 
 ########################################
 #

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 7624d258..0c3fa6c1 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.8.12)
+policy_module(systemd, 1.8.13)
 
 #########################################
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit:     49688047a9eaf2a136c50ecb7ad5097a9921e870
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Nov  5 11:55:25 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Nov 16 09:03:43 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=49688047

filesystem, xen: Module version bump.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/kernel/filesystem.te | 2 +-
 policy/modules/system/xen.te        | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index f338e207..ef891c09 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.28.2)
+policy_module(filesystem, 1.28.3)
 
 ########################################
 #

diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index 82328cbb..232c3ee4 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -1,4 +1,4 @@
-policy_module(xen, 1.18.1)
+policy_module(xen, 1.18.2)
 
 ########################################
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit:     6a9ade8f0070fb55b5e24befa2501644b412fed2
Author:     Dave Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Mon Dec  7 16:09:15 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 10 21:52:17 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6a9ade8f

Allow systemd-modules-load to search kernel keys

I was seeing the following errors from systemd-modules-load without this search permission.

Dec  7 14:36:19 systemd-modules-load: Failed to insert 'nf_conntrack_ftp': Required key not available
Dec  7 14:36:19 kernel: Request for unknown module key 'Red Hat Enterprise Linux kernel signing key: 3ffb026dadef6e0bc404752a7e7c29095a68eab7' err -13
Dec  7 14:36:19 systemd: systemd-modules-load.service: main process exited, code=exited, status=1/FAILURE
Dec  7 14:36:19 audispd: node=loacalhost type=PROCTITLE msg=audit(1607351779.441:3259): proctitle="/usr/lib/systemd/systemd-modules-load"
Dec  7 14:36:19 systemd: Failed to start Load Kernel Modules.

This is the denial:

Dec  7 15:56:52 audispd: node=localhost type=AVC msg=audit(1607356612.877:3815): avc:  denied { search } for  pid=11715 comm="systemd-modules" scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=1

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/kernel/kernel.te   | 1 +
 policy/modules/system/modutils.te | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 8693e800..d70f625b 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -512,6 +512,7 @@ if( ! secure_mode_insmod ) {
 	# gt: there seems to be no trace of the above, at
 	# least in kernel versions greater than 2.6.37...
 	allow can_load_kernmodule self:capability sys_nice;
+	kernel_search_key(can_load_kernmodule)
 	kernel_setsched(can_load_kernmodule)
 }
 

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index e002e6e3..a7f8e42c 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -62,7 +62,6 @@ kernel_write_proc_files(kmod_t)
 kernel_mount_debugfs(kmod_t)
 kernel_mount_kvmfs(kmod_t)
 kernel_read_debugfs(kmod_t)
-kernel_search_key(kmod_t)
 # Rules for /proc/sys/kernel/tainted
 kernel_read_kernel_sysctls(kmod_t)
 kernel_rw_kernel_sysctl(kmod_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit:     722e26ffd25c220056e1cdb1b48b14f95011ba1f
Author:     Krzysztof Nowicki <krissn <AT> op <DOT> pl>
AuthorDate: Wed Feb  3 09:00:35 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 15 19:49:24 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=722e26ff

Enable factory directory support in systemd-tmpfilesd

/usr/share/factory serves as a template directory for
systemd-tmpfilesd. The copy (C) and link (L) commands can utilize this
directory as a default source for files, which should be placed in the
filesystem.

This behaiour is controlled via a tunable as it gives
systemd-tmpfilesd manage permissions over etc, which could be
considered as a security risk.

Relevant denials are silenced in case the policy is disabled.

Signed-off-by: Krzysztof Nowicki <krissn <AT> op.pl>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/kernel/files.if   | 20 ++++++++++++++++++++
 policy/modules/system/systemd.fc |  2 ++
 policy/modules/system/systemd.te | 24 ++++++++++++++++++++++++
 3 files changed, 46 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index b493a4a1..55fbf783 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -3119,6 +3119,26 @@ interface(`files_manage_etc_files',`
 	read_lnk_files_pattern($1, etc_t, etc_t)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to create, read, write,
+##	and delete generic files in /etc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_dontaudit_manage_etc_files',`
+	gen_require(`
+		type etc_t;
+	')
+
+	dontaudit $1 etc_t:file manage_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Delete system configuration files in /etc.

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index f88fdfb4..8dcae1a9 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -55,6 +55,8 @@
 /usr/lib/systemd/system/systemd-rfkill.*	--	gen_context(system_u:object_r:systemd_rfkill_unit_t,s0)
 /usr/lib/systemd/system/systemd-socket-proxyd\.service	--	gen_context(system_u:object_r:systemd_socket_proxyd_unit_file_t,s0)
 
+/usr/share/factory(/.*)?	gen_context(system_u:object_r:systemd_factory_conf_t,s0)
+
 /var/\.updated				--	gen_context(system_u:object_r:systemd_update_run_t,s0)
 
 /var/lib/systemd/backlight(/.*)?	gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 5d34e6d2..ed2bce80 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -45,6 +45,14 @@ gen_tunable(systemd_socket_proxyd_bind_any, false)
 ## </desc>
 gen_tunable(systemd_socket_proxyd_connect_any, false)
 
+## <desc>
+## <p>
+## Allow systemd-tmpfilesd to populate missing configuration files from factory
+## template directory.
+## </p>
+## </desc>
+gen_tunable(systemd_tmpfilesd_factory, false)
+
 attribute systemd_log_parse_env_type;
 attribute systemd_tmpfiles_conf_type;
 attribute systemd_user_session_type;
@@ -104,6 +112,9 @@ type systemd_detect_virt_t;
 type systemd_detect_virt_exec_t;
 init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)
 
+type systemd_factory_conf_t;
+systemd_tmpfiles_conf_file(systemd_factory_conf_t)
+
 type systemd_generator_t;
 type systemd_generator_exec_t;
 typealias systemd_generator_t alias { systemd_fstab_generator_t systemd_gpt_generator_t };
@@ -1283,6 +1294,7 @@ allow systemd_tmpfiles_t systemd_journal_t:dir relabel_dir_perms;
 allow systemd_tmpfiles_t systemd_journal_t:file relabel_file_perms;
 
 allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
+allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:dir search_dir_perms;
 allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
 
 kernel_getattr_proc(systemd_tmpfiles_t)
@@ -1377,6 +1389,18 @@ tunable_policy(`systemd_tmpfiles_manage_all',`
 	files_relabel_non_security_files(systemd_tmpfiles_t)
 ')
 
+tunable_policy(`systemd_tmpfilesd_factory', `
+	allow systemd_tmpfiles_t systemd_factory_conf_t:dir list_dir_perms;
+	allow systemd_tmpfiles_t systemd_factory_conf_t:file read_file_perms;
+
+	files_manage_etc_files(systemd_tmpfiles_t)
+',`
+	dontaudit systemd_tmpfiles_t systemd_factory_conf_t:dir list_dir_perms;
+	dontaudit systemd_tmpfiles_t systemd_factory_conf_t:file read_file_perms;
+
+	files_dontaudit_manage_etc_files(systemd_tmpfiles_t)
+')
+
 optional_policy(`
 	dbus_read_lib_files(systemd_tmpfiles_t)
 	dbus_relabel_lib_dirs(systemd_tmpfiles_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit:     b5319ac6961b49e3f3b83cd390c102cd39bb33fd
Author:     Krzysztof Nowicki <krissn <AT> op <DOT> pl>
AuthorDate: Wed Feb  3 14:59:22 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 15 19:49:24 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b5319ac6

Allow systemd-tmpfilesd to relabel generic files inside /etc

Enable this only with the systemd_tmpfilesd_factory tunable, otherwise
silence the messages with a dontaudit rule.

Fixes:

avc:  denied  { relabelfrom } for comm="systemd-tmpfile"
name="pam.d" dev= ino=
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=dir

Signed-off-by: Krzysztof Nowicki <krissn <AT> op.pl>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/kernel/files.if   | 38 ++++++++++++++++++++++++++++++++++++++
 policy/modules/system/systemd.te |  4 ++++
 2 files changed, 42 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 55fbf783..0687a435 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1611,6 +1611,25 @@ interface(`files_relabel_config_dirs',`
 	relabel_dirs_pattern($1, configfile, configfile)
 ')
 
+#########################################
+## <summary>
+##	Do not audit attempts to relabel configuration directories
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain not to audit.
+##	</summary>
+## </param>
+##
+#
+interface(`files_dontaudit_relabel_config_dirs',`
+	gen_require(`
+		attribute configfile;
+	')
+
+	dontaudit $1 configfile:dir relabel_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read config files in /etc.
@@ -1669,6 +1688,25 @@ interface(`files_relabel_config_files',`
 	relabel_files_pattern($1, configfile, configfile)
 ')
 
+#######################################
+## <summary>
+##	Do not audit attempts to relabel configuration files
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain not to audit.
+##	</summary>
+## </param>
+##
+#
+interface(`files_dontaudit_relabel_config_files',`
+	gen_require(`
+		attribute configfile;
+	')
+
+	dontaudit $1 configfile:file relabel_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Mount a filesystem on all mount points.

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index ed2bce80..08c26078 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1394,11 +1394,15 @@ tunable_policy(`systemd_tmpfilesd_factory', `
 	allow systemd_tmpfiles_t systemd_factory_conf_t:file read_file_perms;
 
 	files_manage_etc_files(systemd_tmpfiles_t)
+	files_relabel_config_dirs(systemd_tmpfiles_t)
+	files_relabel_config_files(systemd_tmpfiles_t)
 ',`
 	dontaudit systemd_tmpfiles_t systemd_factory_conf_t:dir list_dir_perms;
 	dontaudit systemd_tmpfiles_t systemd_factory_conf_t:file read_file_perms;
 
 	files_dontaudit_manage_etc_files(systemd_tmpfiles_t)
+	files_dontaudit_relabel_config_dirs(systemd_tmpfiles_t)
+	files_dontaudit_relabel_config_files(systemd_tmpfiles_t)
 ')
 
 optional_policy(`

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit:     fc0dd40ee53f5a1d45ee160db2d3d1e6727bff90
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Nov 10 17:58:42 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 31 02:40:53 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fc0dd40e

files, init: allow init to remount filesystems mounted on /boot

The context= mount option can be used to label, for example, a DOS
filesystem mounted on boot to be boot_t instead of dosfs_t. Explicitly
allow init (systemd) to remount boot_t filesystems so that options like
ProtectSystem=full work properly.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/kernel/files.if | 18 ++++++++++++++++++
 policy/modules/system/init.te  |  1 +
 2 files changed, 19 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index ea29fef3..baedb52e 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2238,6 +2238,24 @@ interface(`files_mounton_root',`
 	allow $1 root_t:dir mounton;
 ')
 
+########################################
+## <summary>
+##	Remount a filesystem mounted on /boot.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_remount_boot',`
+	gen_require(`
+		type boot_t;
+	')
+
+	allow $1 boot_t:filesystem remount;
+')
+
 ########################################
 ## <summary>
 ##	Get attributes of the /boot directory.

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 3f1c7d20..6e1baef9 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -417,6 +417,7 @@ ifdef(`init_systemd',`
 	files_mounton_tmp(init_t)
 	files_manage_urandom_seed(init_t)
 	files_read_boot_files(initrc_t)
+	files_remount_boot(init_t)
 	files_relabel_all_lock_dirs(init_t)
 	files_search_all(init_t)
 	files_unmount_all_file_type_fs(init_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Kenton Groombridge]

commit:     70226d790395660a9e086b8c0eeec28acf2c7e3b
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Mon Mar  6 18:18:41 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 31 17:11:32 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=70226d79

fs, udev: allow systemd-udevd various cgroup perms

Needed for systemd-udevd to create files under
/sys/fs/cgroup/system.slice/systemd-udevd.service/udev

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/kernel/filesystem.if | 40 ++++++++++++++++++++++++++++++++++++-
 policy/modules/system/udev.te       |  6 +++++-
 2 files changed, 44 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index af2023e62..a1282cf40 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -798,7 +798,6 @@ interface(`fs_getattr_cgroup',`
 interface(`fs_search_cgroup_dirs',`
 	gen_require(`
 		type cgroup_t;
-
 	')
 
 	search_dirs_pattern($1, cgroup_t, cgroup_t)
@@ -843,6 +842,25 @@ interface(`fs_ioctl_cgroup_dirs', `
 	dev_search_sysfs($1)
 ')
 
+########################################
+## <summary>
+##	Create cgroup directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_create_cgroup_dirs',`
+	gen_require(`
+		type cgroup_t;
+	')
+
+	create_dirs_pattern($1, cgroup_t, cgroup_t)
+	dev_search_sysfs($1)
+')
+
 ########################################
 ## <summary>
 ##	Delete cgroup directories.
@@ -941,6 +959,26 @@ interface(`fs_read_cgroup_files',`
 	dev_search_sysfs($1)
 ')
 
+########################################
+## <summary>
+##	Create cgroup files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_create_cgroup_files',`
+	gen_require(`
+		type cgroup_t;
+
+	')
+
+	create_files_pattern($1, cgroup_t, cgroup_t)
+	dev_search_sysfs($1)
+')
+
 ########################################
 ## <summary>
 ##	Watch cgroup files.

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 56cfa2fb8..2fae88354 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -261,7 +261,11 @@ ifdef(`distro_redhat',`
 ifdef(`init_systemd',`
 	files_search_kernel_modules(udev_t)
 
-	fs_read_cgroup_files(udev_t)
+	# systemd-udev creates cgroup files under
+	# /sys/fs/cgroup/system.slice/systemd-udevd.service/udev
+	fs_create_cgroup_dirs(udev_t)
+	fs_create_cgroup_files(udev_t)
+	fs_rw_cgroup_files(udev_t)
 
 	init_dgram_send(udev_t)
 	init_get_generic_units_status(udev_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Kenton Groombridge]

commit:     71328f3f02d4765b904f1a2a6c9fe140cb116182
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Mon Mar  6 18:37:02 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 31 17:11:32 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=71328f3f

files, systemd: allow systemd-tmpfiles to relabel config file symlinks

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/kernel/files.if   | 19 +++++++++++++++++++
 policy/modules/system/systemd.te |  3 ++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index a895f3734..6fe764a7a 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1713,6 +1713,25 @@ interface(`files_dontaudit_relabel_config_files',`
 	dontaudit $1 configfile:file relabel_file_perms;
 ')
 
+#######################################
+## <summary>
+##	Relabel configuration symlinks.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+##
+#
+interface(`files_relabel_config_symlinks',`
+	gen_require(`
+		attribute configfile;
+	')
+
+	relabel_lnk_files_pattern($1, configfile, configfile)
+')
+
 ########################################
 ## <summary>
 ##	Mount a filesystem on all mount points.

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 778052cde..59a3fcfc5 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1704,8 +1704,9 @@ files_manage_all_locks(systemd_tmpfiles_t)
 files_purge_tmp(systemd_tmpfiles_t)
 files_read_etc_files(systemd_tmpfiles_t)
 files_read_etc_runtime_files(systemd_tmpfiles_t)
-files_relabel_config_files(systemd_tmpfiles_t)
 files_relabel_config_dirs(systemd_tmpfiles_t)
+files_relabel_config_files(systemd_tmpfiles_t)
+files_relabel_config_symlinks(systemd_tmpfiles_t)
 files_relabel_all_locks(systemd_tmpfiles_t)
 files_relabel_all_runtime_dirs(systemd_tmpfiles_t)
 files_relabel_all_tmp_dirs(systemd_tmpfiles_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Kenton Groombridge]

commit:     af8127d982e94211a2a717c9fb3249ef7456ee7a
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Tue Mar  7 00:19:51 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 31 17:11:32 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=af8127d9

fs, init: allow systemd-init to set the attributes of efivarfs files

avc:  denied  { setattr } for  pid=1 comm="systemd" name="LoaderSystemToken-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f" dev="efivarfs" ino=1049 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/kernel/filesystem.if | 20 ++++++++++++++++++++
 policy/modules/system/init.te       |  1 +
 2 files changed, 21 insertions(+)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index a1282cf40..528eeafc0 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -2439,6 +2439,26 @@ interface(`fs_read_efivarfs_files',`
 	read_files_pattern($1, efivarfs_t, efivarfs_t)
 ')
 
+#######################################
+## <summary>
+##      Set the attributes of files in efivarfs
+##      - contains Linux Kernel configuration options for UEFI systems
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_setattr_efivarfs_files',`
+	gen_require(`
+		type efivarfs_t;
+	')
+
+	setattr_files_pattern($1, efivarfs_t, efivarfs_t)
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete files

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 87d62741e..fca349587 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -464,6 +464,7 @@ ifdef(`init_systemd',`
 	fs_relabel_tmpfs_chr_files(init_t)
 	fs_relabel_tmpfs_fifo_files(init_t)
 	fs_read_efivarfs_files(init_t)
+	fs_setattr_efivarfs_files(init_t)
 	# for privatetmp functions
 	fs_relabel_tmpfs_dirs(init_t)
 	fs_relabel_tmpfs_files(init_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Kenton Groombridge]

commit:     b093761cac708c6320ea8588f089cb98fd974a24
Author:     Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Feb 22 17:00:44 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar  1 17:05:50 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b093761c

systemd: binfmt updates

    type=PROCTITLE msg=audit(21/02/24 22:54:36.708:53) : proctitle=/usr/lib/systemd/systemd-binfmt
    type=SYSCALL msg=audit(21/02/24 22:54:36.708:53) : arch=x86_64 syscall=fstatfs success=yes exit=0 a0=0x5 a1=0x7ffc547fbda0 a2=0x0 a3=0x0 items=0 ppid=1 pid=694 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-binfmt exe=/usr/lib/systemd/systemd-binfmt subj=system_u:system_r:systemd_binfmt_t:s0 key=(null)
    type=AVC msg=audit(21/02/24 22:54:36.708:53) : avc:  denied  { getattr } for  pid=694 comm=systemd-binfmt name=/ dev=binfmt_misc ino=1 scontext=system_u:system_r:systemd_binfmt_t:s0 tcontext=system_u:object_r:binfmt_misc_fs_t:s0 tclass=filesystem permissive=1

    type=PROCTITLE msg=audit(21/02/24 22:54:36.708:54) : proctitle=/usr/lib/systemd/systemd-binfmt
    type=PATH msg=audit(21/02/24 22:54:36.708:54) : item=0 name=/proc/self/fd/4 inode=1 dev=00:27 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:binfmt_misc_fs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
    type=CWD msg=audit(21/02/24 22:54:36.708:54) : cwd=/
    type=SYSCALL msg=audit(21/02/24 22:54:36.708:54) : arch=x86_64 syscall=access success=yes exit=0 a0=0x7ffc547fbdf0 a1=W_OK a2=0x0 a3=0x0 items=1 ppid=1 pid=694 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-binfmt exe=/usr/lib/systemd/systemd-binfmt subj=system_u:system_r:systemd_binfmt_t:s0 key=(null)
    type=AVC msg=audit(21/02/24 22:54:36.708:54) : avc:  denied  { write } for  pid=694 comm=systemd-binfmt name=/ dev=binfmt_misc ino=1 scontext=system_u:system_r:systemd_binfmt_t:s0 tcontext=system_u:object_r:binfmt_misc_fs_t:s0 tclass=dir permissive=1

Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/kernel/filesystem.if | 37 +++++++++++++++++++++++++++++++++++++
 policy/modules/system/systemd.te    |  6 ++++++
 2 files changed, 43 insertions(+)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 08ad5503d..ae022b6c0 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -602,6 +602,24 @@ interface(`fs_manage_autofs_symlinks',`
 	manage_lnk_files_pattern($1, autofs_t, autofs_t)
 ')
 
+########################################
+## <summary>
+##	Get the attributes of binfmt_misc filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_binfmt_misc_fs',`
+	gen_require(`
+		type binfmt_misc_fs_t;
+	')
+
+	allow $1 binfmt_misc_fs_t:filesystem getattr;
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of directories on
@@ -622,6 +640,25 @@ interface(`fs_getattr_binfmt_misc_dirs',`
 
 ')
 
+########################################
+## <summary>
+##	Check for permissions using access(2) of directories on
+##	binfmt_misc filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_check_write_binfmt_misc_dirs',`
+	gen_require(`
+		type binfmt_misc_fs_t;
+	')
+
+	allow $1 binfmt_misc_fs_t:dir { getattr write };
+')
+
 ########################################
 ## <summary>
 ##	Register an interpreter for new binary

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 6d07466e6..63fef177b 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -401,6 +401,7 @@ fs_search_cgroup_dirs(systemd_backlight_t)
 #
 
 kernel_read_kernel_sysctls(systemd_binfmt_t)
+kernel_getattr_proc(systemd_binfmt_t)
 
 systemd_log_parse_environment(systemd_binfmt_t)
 
@@ -409,6 +410,11 @@ files_read_etc_files(systemd_binfmt_t)
 
 fs_register_binary_executable_type(systemd_binfmt_t)
 
+fs_getattr_binfmt_misc_fs(systemd_binfmt_t)
+fs_check_write_binfmt_misc_dirs(systemd_binfmt_t)
+
+fs_getattr_cgroup(systemd_binfmt_t)
+fs_search_cgroup_dirs(systemd_binfmt_t)
 
 ######################################
 #