commit: 006bc33c0ddb00e9f9c628a4ea17fe029a51964f
Author: Chris PeBenito <Christopher.PeBenito <AT> microsoft <DOT> com>
AuthorDate: Mon Jan 3 20:12:14 2022 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 7 02:08:37 2022 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=006bc33c
systemd: Add systemd-homed and systemd-userdbd.
Systemd-homed does not completely work since the code does not label
the filesystems it creates.
systemd-userdbd partially derived from the Fedora policy.
Signed-off-by: Chris PeBenito <Christopher.PeBenito <AT> microsoft.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/kernel/files.if | 18 ++++
policy/modules/services/mta.if | 1 +
policy/modules/services/ssh.if | 1 +
policy/modules/system/fstools.if | 1 +
policy/modules/system/init.if | 18 ++++
policy/modules/system/init.te | 1 +
policy/modules/system/lvm.te | 4 +
policy/modules/system/systemd.fc | 9 +-
policy/modules/system/systemd.if | 38 +++++--
policy/modules/system/systemd.te | 194 +++++++++++++++++++++++++++++++++++-
policy/modules/system/userdomain.if | 4 +
policy/support/misc_patterns.spt | 28 ++++++
12 files changed, 304 insertions(+), 13 deletions(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index f772bfe8..ea29fef3 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -3851,6 +3851,24 @@ interface(`files_relabelfrom_home',`
allow $1 home_root_t:dir relabelfrom;
')
+########################################
+## <summary>
+## Watch the user home root (/home).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_watch_home',`
+ gen_require(`
+ type home_root_t;
+ ')
+
+ allow $1 home_root_t:dir watch;
+')
+
########################################
## <summary>
## Create objects in /home.
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 434fa9c2..38c8cdb5 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -820,6 +820,7 @@ interface(`mta_list_spool',`
')
allow $1 mail_spool_t:dir list_dir_perms;
+ files_search_spool($1)
')
#######################################
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index ae23e199..b9ed26bc 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -277,6 +277,7 @@ template(`ssh_server_template', `
optional_policy(`
systemd_read_logind_sessions_files($1_t)
+ systemd_stream_connect_userdb($1_t)
')
')
diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
index 6ebe3800..f994965a 100644
--- a/policy/modules/system/fstools.if
+++ b/policy/modules/system/fstools.if
@@ -61,6 +61,7 @@ interface(`fstools_exec',`
')
can_exec($1, fsadm_exec_t)
+ corecmd_search_bin($1)
')
########################################
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index dacb8a93..1af2c62f 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1114,6 +1114,24 @@ interface(`init_rw_stream_sockets',`
allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
')
+########################################
+## <summary>
+## Do not audit attempts to search init keys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_search_keys',`
+ gen_require(`
+ type init_t;
+ ')
+
+ dontaudit $1 init_t:key search;
+')
+
########################################
## <summary>
## start service (systemd).
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 2dfc3ca0..8e7919c1 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -514,6 +514,7 @@ ifdef(`init_systemd',`
systemd_filetrans_userdb_runtime_dirs(init_t)
systemd_relabelto_journal_dirs(init_t)
systemd_relabelto_journal_files(init_t)
+ systemd_stream_connect_userdb(init_t)
term_create_devpts_dirs(init_t)
term_create_ptmx(init_t)
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index cfc4ed10..4d8380c3 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -251,6 +251,10 @@ optional_policy(`
rpm_manage_script_tmp_files(lvm_t)
')
+optional_policy(`
+ systemd_rw_homework_semaphores(lvm_t)
+')
+
optional_policy(`
udev_read_runtime_files(lvm_t)
')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 6505951d..5cb24230 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -31,6 +31,8 @@
/usr/lib/systemd/systemd-binfmt --
gen_context(system_u:object_r:systemd_binfmt_exec_t,s0)
/usr/lib/systemd/systemd-cgroups-agent --
gen_context(system_u:object_r:systemd_cgroups_exec_t,s0)
/usr/lib/systemd/systemd-coredump --
gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
+/usr/lib/systemd/systemd-homed --
gen_context(system_u:object_r:systemd_homed_exec_t,s0)
+/usr/lib/systemd/systemd-homework --
gen_context(system_u:object_r:systemd_homework_exec_t,s0)
/usr/lib/systemd/systemd-hostnamed --
gen_context(system_u:object_r:systemd_hostnamed_exec_t,s0)
/usr/lib/systemd/systemd-localed --
gen_context(system_u:object_r:systemd_locale_exec_t,s0)
/usr/lib/systemd/systemd-logind --
gen_context(system_u:object_r:systemd_logind_exec_t,s0)
@@ -45,6 +47,8 @@
/usr/lib/systemd/systemd-update-done --
gen_context(system_u:object_r:systemd_update_done_exec_t,s0)
/usr/lib/systemd/systemd-user-runtime-dir --
gen_context(system_u:object_r:systemd_user_runtime_dir_exec_t,s0)
/usr/lib/systemd/systemd-user-sessions --
gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
+/usr/lib/systemd/systemd-userdbd --
gen_context(system_u:object_r:systemd_userdbd_exec_t,s0)
+/usr/lib/systemd/systemd-userwork --
gen_context(system_u:object_r:systemd_userdbd_exec_t,s0)
# Systemd unit files
HOME_DIR/\.config/systemd(/.*)?
gen_context(system_u:object_r:systemd_conf_home_t,s0)
@@ -64,6 +68,7 @@ HOME_DIR/\.local/share/systemd(/.*)?
gen_context(system_u:object_r:systemd_data
/usr/lib/systemd/system/systemd-networkd.*
gen_context(system_u:object_r:systemd_networkd_unit_t,s0)
/usr/lib/systemd/system/systemd-rfkill.* --
gen_context(system_u:object_r:systemd_rfkill_unit_t,s0)
/usr/lib/systemd/system/systemd-socket-proxyd\.service --
gen_context(system_u:object_r:systemd_socket_proxyd_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-userdbd\.(service|socket) --
gen_context(system_u:object_r:systemd_userdbd_unit_t,s0)
/usr/lib/systemd/system/user@\.service --
gen_context(system_u:object_r:systemd_user_manager_unit_t,s0)
/usr/share/factory(/.*)?
gen_context(system_u:object_r:systemd_factory_conf_t,s0)
@@ -72,6 +77,7 @@ HOME_DIR/\.local/share/systemd(/.*)?
gen_context(system_u:object_r:systemd_data
/var/lib/systemd/backlight(/.*)?
gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
/var/lib/systemd/coredump(/.*)?
gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
+/var/lib/systemd/home(/.*)?
gen_context(system_u:object_r:systemd_homed_var_lib_t,s0)
/var/lib/systemd/linger(/.*)?
gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
/var/lib/systemd/pstore(/.*)?
gen_context(system_u:object_r:systemd_pstore_var_lib_t,s0)
/var/lib/systemd/rfkill(/.*)?
gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
@@ -89,11 +95,12 @@ HOME_DIR/\.local/share/systemd(/.*)?
gen_context(system_u:object_r:systemd_data
/run/systemd/ask-password(/.*)?
gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
/run/systemd/ask-password-block(/.*)?
gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
+/run/systemd/home(/.*)?
gen_context(system_u:object_r:systemd_homed_runtime_t,s0)
/run/systemd/resolve(/.*)?
gen_context(system_u:object_r:systemd_resolved_runtime_t,s0)
/run/systemd/seats(/.*)?
gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
/run/systemd/sessions(/.*)?
gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
/run/systemd/users(/.*)?
gen_context(system_u:object_r:systemd_logind_runtime_t,s0)
-/run/systemd/userdb(/.*)?
gen_context(system_u:object_r:systemd_userdb_runtime_t,s0)
+/run/systemd/userdb(/.*)?
gen_context(system_u:object_r:systemd_userdbd_runtime_t,s0)
/run/systemd/inhibit(/.*)?
gen_context(system_u:object_r:systemd_logind_inhibit_runtime_t,s0)
/run/systemd/nspawn(/.*)?
gen_context(system_u:object_r:systemd_nspawn_runtime_t,s0)
/run/systemd/machines(/.*)?
gen_context(system_u:object_r:systemd_machined_runtime_t,s0)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index e5214124..e68a9b44 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -863,6 +863,24 @@ interface(`systemd_PrivateDevices',`
fs_read_tmpfs_symlinks($1)
')
+######################################
+## <summary>
+## Read and write systemd-homework semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`systemd_rw_homework_semaphores',`
+ gen_require(`
+ type systemd_homework_t;
+ ')
+
+ allow $1 systemd_homework_t:sem rw_sem_perms;
+')
+
#######################################
## <summary>
## Allow domain to read udev hwdb file
@@ -1191,10 +1209,10 @@ interface(`systemd_signull_logind',`
#
interface(`systemd_manage_userdb_runtime_dirs', `
gen_require(`
- type systemd_userdb_runtime_t;
+ type systemd_userdbd_runtime_t;
')
- manage_dirs_pattern($1, systemd_userdb_runtime_t,
systemd_userdb_runtime_t)
+ manage_dirs_pattern($1, systemd_userdbd_runtime_t,
systemd_userdbd_runtime_t)
')
########################################
@@ -1209,10 +1227,10 @@ interface(`systemd_manage_userdb_runtime_dirs', `
#
interface(`systemd_manage_userdb_runtime_sock_files', `
gen_require(`
- type systemd_userdb_runtime_t;
+ type systemd_userdbd_runtime_t;
')
- manage_sock_files_pattern($1, systemd_userdb_runtime_t,
systemd_userdb_runtime_t)
+ manage_sock_files_pattern($1, systemd_userdbd_runtime_t,
systemd_userdbd_runtime_t)
')
########################################
@@ -1227,12 +1245,12 @@ interface(`systemd_manage_userdb_runtime_sock_files', `
#
interface(`systemd_stream_connect_userdb', `
gen_require(`
- type systemd_userdb_runtime_t;
+ type systemd_userdbd_t, systemd_userdbd_runtime_t;
')
init_search_runtime($1)
- allow $1 systemd_userdb_runtime_t:dir list_dir_perms;
- allow $1 systemd_userdb_runtime_t:sock_file write_sock_file_perms;
+ allow $1 systemd_userdbd_runtime_t:dir list_dir_perms;
+ stream_connect_pattern($1, systemd_userdbd_runtime_t,
systemd_userdbd_runtime_t, systemd_userdbd_t)
init_unix_stream_socket_connectto($1)
')
@@ -1404,7 +1422,7 @@ interface(`systemd_filetrans_passwd_runtime_dirs',`
########################################
## <summary>
-## Transition to systemd_userdb_runtime_t when
+## Transition to systemd_userdbd_runtime_t when
## creating the userdb directory inside an init runtime
## directory.
## </summary>
@@ -1416,10 +1434,10 @@ interface(`systemd_filetrans_passwd_runtime_dirs',`
#
interface(`systemd_filetrans_userdb_runtime_dirs', `
gen_require(`
- type systemd_userdb_runtime_t;
+ type systemd_userdbd_runtime_t;
')
- init_runtime_filetrans($1, systemd_userdb_runtime_t, dir, "userdb")
+ init_runtime_filetrans($1, systemd_userdbd_runtime_t, dir, "userdb")
')
######################################
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 5aa824b2..db8c9979 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -115,6 +115,28 @@ typealias systemd_generator_t alias {
systemd_fstab_generator_t systemd_gpt_gene
typealias systemd_generator_exec_t alias { systemd_fstab_generator_exec_t
systemd_gpt_generator_exec_t };
init_system_domain(systemd_generator_t, systemd_generator_exec_t)
+type systemd_homed_t;
+type systemd_homed_exec_t;
+init_daemon_domain(systemd_homed_t, systemd_homed_exec_t)
+
+type systemd_homework_t;
+type systemd_homework_exec_t;
+domain_type(systemd_homework_t)
+domain_entry_file(systemd_homework_t, systemd_homework_exec_t)
+role system_r types systemd_homework_t;
+
+type systemd_homed_runtime_t;
+files_runtime_file(systemd_homed_runtime_t)
+
+type systemd_homed_storage_t;
+files_type(systemd_homed_storage_t)
+
+type systemd_homed_tmpfs_t;
+files_tmpfs_file(systemd_homed_tmpfs_t)
+
+type systemd_homed_var_lib_t;
+files_type(systemd_homed_var_lib_t)
+
type systemd_hostnamed_t;
type systemd_hostnamed_exec_t;
init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
@@ -301,8 +323,15 @@ init_system_domain(systemd_user_runtime_dir_t,
systemd_user_runtime_dir_exec_t)
type systemd_user_tmpfs_t;
userdom_user_tmpfs_file(systemd_user_tmpfs_t)
-type systemd_userdb_runtime_t;
-files_runtime_file(systemd_userdb_runtime_t)
+type systemd_userdbd_t;
+type systemd_userdbd_exec_t;
+init_daemon_domain(systemd_userdbd_t, systemd_userdbd_exec_t)
+
+type systemd_userdbd_runtime_t alias systemd_userdb_runtime_t;
+files_runtime_file(systemd_userdbd_runtime_t)
+
+type systemd_userdbd_unit_t;
+init_unit_file(systemd_userdbd_unit_t)
type systemd_user_unit_t;
init_unit_file(systemd_user_unit_t)
@@ -473,6 +502,8 @@ kernel_use_fds(systemd_generator_t)
kernel_read_system_state(systemd_generator_t)
kernel_read_kernel_sysctls(systemd_generator_t)
kernel_dontaudit_getattr_proc(systemd_generator_t)
+# Where an unlabeled mountpoint is encounted:
+kernel_dontaudit_search_unlabeled(systemd_generator_t)
storage_raw_read_fixed_disk(systemd_generator_t)
@@ -497,6 +528,125 @@ optional_policy(`
miscfiles_read_localization(systemd_generator_t)
')
+#######################################
+#
+# systemd-homed policy
+#
+
+dontaudit systemd_homed_t self:capability { sys_resource sys_admin };
+allow systemd_homed_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+nnp_domtrans_pattern(systemd_homed_t, systemd_homework_exec_t,
systemd_homework_t)
+
+allow systemd_homed_t systemd_homed_tmpfs_t:file manage_file_perms;
+fs_tmpfs_filetrans(systemd_homed_t, systemd_homed_tmpfs_t, file)
+
+manage_sock_files_pattern(systemd_homed_t, systemd_userdbd_runtime_t,
systemd_homed_runtime_t)
+manage_dirs_pattern(systemd_homed_t, systemd_homed_runtime_t,
systemd_homed_runtime_t)
+filetrans_pattern(systemd_homed_t, systemd_userdbd_runtime_t,
systemd_homed_runtime_t, sock_file)
+init_runtime_filetrans(systemd_homed_t, systemd_homed_runtime_t, dir)
+
+allow systemd_homed_t systemd_homed_storage_t:file read_file_perms;
+
+allow systemd_homed_t systemd_homed_var_lib_t:dir manage_dir_perms;
+allow systemd_homed_t systemd_homed_var_lib_t:file manage_file_perms;
+init_var_lib_filetrans(systemd_homed_t, systemd_homed_var_lib_t, dir)
+
+# Entries such as /sys/devices/virtual/block/loop1/uevent:
+dev_read_sysfs(systemd_homed_t)
+
+files_list_home(systemd_homed_t)
+files_watch_home(systemd_homed_t)
+files_read_etc_files(systemd_homed_t)
+files_search_tmp(systemd_homed_t)
+
+fs_get_xattr_fs_quotas(systemd_homed_t)
+fs_getattr_all_fs(systemd_homed_t)
+
+kernel_read_kernel_sysctls(systemd_homed_t)
+kernel_read_crypto_sysctls(systemd_homed_t)
+kernel_read_system_state(systemd_homed_t)
+
+systemd_log_parse_environment(systemd_homed_t)
+
+udev_read_runtime_files(systemd_homed_t)
+
+optional_policy(`
+ dbus_system_bus_client(systemd_homed_t)
+ dbus_connect_system_bus(systemd_homed_t)
+
+ init_dbus_chat(systemd_homed_t)
+')
+
+optional_policy(`
+ mta_list_spool(systemd_homed_t)
+')
+
+optional_policy(`
+ unconfined_dbus_send(systemd_homed_t)
+')
+
+#######################################
+#
+# systemd-homework policy
+#
+
+allow systemd_homework_t self:capability { chown fowner fsetid sys_admin };
+dontaudit systemd_homework_t self:capability sys_resource;
+allow systemd_homework_t self:key { search write };
+allow systemd_homework_t self:process getsched;
+allow systemd_homework_t self:sem create_sem_perms;
+
+allow systemd_homework_t systemd_homed_runtime_t:file manage_file_perms;
+allow systemd_homework_t systemd_homed_runtime_t:dir manage_dir_perms;
+files_runtime_filetrans(systemd_homework_t, systemd_homed_runtime_t, file)
+init_runtime_filetrans(systemd_homework_t, systemd_homed_runtime_t, dir)
+
+# mount on /run/systemd/user-home-mount
+allow systemd_homework_t systemd_homed_runtime_t:dir mounton;
+
+allow systemd_homework_t systemd_homed_storage_t:file manage_file_perms;
+files_home_filetrans(systemd_homework_t, systemd_homed_storage_t, file)
+
+allow systemd_homework_t systemd_homed_tmpfs_t:file rw_inherited_file_perms;
+
+dev_rw_loop_control(systemd_homework_t)
+dev_read_rand(systemd_homework_t)
+dev_read_urand(systemd_homework_t)
+dev_rw_lvm_control(systemd_homework_t)
+# Entries such as /sys/devices/virtual/block/loop1/uevent:
+dev_read_sysfs(systemd_homework_t)
+
+files_read_etc_files(systemd_homework_t)
+files_mounton_runtime_dirs(systemd_homework_t)
+
+fs_getattr_all_fs(systemd_homework_t)
+fs_search_all(systemd_homework_t)
+fs_mount_xattr_fs(systemd_homework_t)
+fs_unmount_xattr_fs(systemd_homework_t)
+
+fstools_exec(systemd_homework_t)
+
+init_rw_inherited_stream_socket(systemd_homework_t)
+init_use_fds(systemd_homework_t)
+init_dontaudit_search_keys(systemd_homework_t)
+
+kernel_write_key(systemd_homework_t)
+kernel_get_sysvipc_info(systemd_homework_t)
+kernel_request_load_module(systemd_homework_t)
+
+kernel_read_kernel_sysctls(systemd_homework_t)
+kernel_read_crypto_sysctls(systemd_homework_t)
+kernel_read_system_state(systemd_homework_t)
+
+# loopback:
+storage_raw_read_fixed_disk(systemd_homework_t)
+storage_raw_write_fixed_disk(systemd_homework_t)
+
+systemd_log_parse_environment(systemd_homework_t)
+
+udev_read_runtime_files(systemd_homework_t)
+
#######################################
#
# Hostnamed policy
@@ -630,6 +780,8 @@ allow systemd_logind_t systemd_sessions_runtime_t:dir
manage_dir_perms;
allow systemd_logind_t systemd_sessions_runtime_t:file manage_file_perms;
allow systemd_logind_t systemd_sessions_runtime_t:fifo_file
manage_fifo_file_perms;
+stream_connect_pattern(systemd_logind_t, systemd_userdbd_runtime_t,
systemd_userdbd_runtime_t, systemd_userdbd_t)
+
kernel_dontaudit_getattr_proc(systemd_logind_t)
kernel_read_kernel_sysctls(systemd_logind_t)
@@ -814,6 +966,8 @@ allow systemd_machined_t systemd_machined_devpts_t:chr_file
manage_chr_file_perm
manage_files_pattern(systemd_machined_t, systemd_machined_runtime_t,
systemd_machined_runtime_t)
allow systemd_machined_t systemd_machined_runtime_t:lnk_file
manage_lnk_file_perms;
+manage_sock_files_pattern(systemd_machined_t, systemd_userdbd_runtime_t,
systemd_userdbd_runtime_t)
+
kernel_read_kernel_sysctls(systemd_machined_t)
kernel_read_system_state(systemd_machined_t)
@@ -1605,6 +1759,42 @@ udev_list_runtime(systemd_user_session_type)
seutil_libselinux_linked(systemd_user_session_type)
+########################################
+#
+# systemd-userdbd local policy
+#
+
+allow systemd_userdbd_t self:capability dac_read_search;
+allow systemd_userdbd_t self:process signal;
+
+stream_connect_pattern(systemd_userdbd_t, systemd_homed_runtime_t,
systemd_homed_runtime_t, systemd_homed_t)
+
+manage_dirs_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t,
systemd_userdbd_runtime_t)
+manage_files_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t,
systemd_userdbd_runtime_t)
+manage_sock_files_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t,
systemd_userdbd_runtime_t)
+init_runtime_filetrans(systemd_userdbd_t, systemd_userdbd_runtime_t, dir)
+
+can_exec(systemd_userdbd_t, systemd_userdbd_exec_t)
+
+auth_read_shadow(systemd_userdbd_t)
+auth_use_nsswitch(systemd_userdbd_t)
+
+dev_read_urand(systemd_userdbd_t)
+
+files_read_etc_files(systemd_userdbd_t)
+files_read_etc_runtime_files(systemd_userdbd_t)
+files_read_usr_files(systemd_userdbd_t)
+
+fs_read_efivarfs_files(systemd_userdbd_t)
+
+init_stream_connect(systemd_userdbd_t)
+init_search_runtime(systemd_userdbd_t)
+init_read_state(systemd_userdbd_t)
+
+kernel_read_kernel_sysctls(systemd_userdbd_t)
+
+systemd_log_parse_environment(systemd_userdbd_t)
+
#########################################
#
# systemd-user-runtime-dir local policy
diff --git a/policy/modules/system/userdomain.if
b/policy/modules/system/userdomain.if
index 6380e869..0f3bff78 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -920,6 +920,10 @@ template(`userdom_common_user_template',`
usernetctl_run($1_t, $1_r)
')
+ optional_policy(`
+ systemd_stream_connect_userdb($1_t)
+ ')
+
optional_policy(`
virt_home_filetrans_virt_home($1_t, dir, ".libvirt")
virt_home_filetrans_virt_home($1_t, dir, ".virtinst")
diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
index 4b689be9..fea708f9 100644
--- a/policy/support/misc_patterns.spt
+++ b/policy/support/misc_patterns.spt
@@ -60,6 +60,34 @@ define(`domtrans_pattern',`
allow $3 $1:process sigchld;
')
+#
+# Automatic domain transition patterns
+# with NoNewPerms
+#
+# Parameters:
+# 1. source domain
+# 2. entry point file type
+# 3. target domain
+#
+define(`nnp_domtrans_pattern',`
+ domtrans_pattern($1,$2,$3)
+ allow $1 $3:process2 nnp_transition;
+')
+
+#
+# Automatic domain transition patterns
+# on nosuid filesystem
+#
+# Parameters:
+# 1. source domain
+# 2. entry point file type
+# 3. target domain
+#
+define(`nosuid_domtrans_pattern',`
+ domtrans_pattern($1,$2,$3)
+ allow $1 $3:process2 nosuid_transition;
+')
+
#
# Dynamic transition pattern
#
