selinux-policy/backport-sysnetwork.if-avoid-directly-referencing-systemd_res.patch

From bc79683118e529a8325fd229840915efe30c3f48 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Mon, 3 Aug 2020 14:49:31 +0200
Reference: https://github.com/fedora-selinux/selinux-policy/commit/bc79683118e529a8325fd229840915efe30c3f48
Conflict: NA
Subject: [PATCH] sysnetwork.if: avoid directly referencing
 systemd_resolved_var_run_t

Instead create a systemd_resolved_pid_filetrans() interface in
systemd.if and use that. Also used a unified interface for adding these
transitions in sysnet_filetrans_named_content() and directly in the
systemd module.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/modules/system/sysnetwork.if | 36 +++++++++++++++++++++++++++---------
 policy/modules/system/systemd.if    | 34 ++++++++++++++++++++++++++++++++++
 policy/modules/system/systemd.te    |  4 +---
 3 files changed, 62 insertions(+), 12 deletions(-)

diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 10172d6..d7b696b 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -1127,6 +1127,29 @@ interface(`sysnet_role_transition_dhcpc',`
 
 ########################################
 ## <summary>
+##	Set up filename transitions for systemd-resolved network
+##	configuration content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_filetrans_systemd_resolved',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+	optional_policy(`
+		systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf")
+		systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
+		systemd_resolved_pid_filetrans($1, net_conf_t, file, "stub-resolv.conf")
+	')
+')
+
+########################################
+## <summary>
 ##	Transition to sysnet named content
 ## </summary>
 ## <param name="domain">
@@ -1138,7 +1161,6 @@ interface(`sysnet_role_transition_dhcpc',`
 interface(`sysnet_filetrans_named_content',`
 	gen_require(`
 		type net_conf_t;
-		type systemd_resolved_var_run_t;
 	')
 
 	files_etc_filetrans($1, net_conf_t, file, "resolv.conf")
@@ -1160,15 +1182,11 @@ interface(`sysnet_filetrans_named_content',`
 	init_pid_filetrans($1, net_conf_t, dir, "network")
 
 	optional_policy(`
-	    networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf")
-	    networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
-    ')
+		networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf")
+		networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
+	')
 
-    optional_policy(`
-        sysnet_filetrans_config_fromdir($1,systemd_resolved_var_run_t, file, "resolv.conf")
-        sysnet_filetrans_config_fromdir($1,systemd_resolved_var_run_t, file, "resolv.conf.tmp")
-        sysnet_filetrans_config_fromdir($1,systemd_resolved_var_run_t, file, "stub-resolv.conf")
-    ')
+	sysnet_filetrans_systemd_resolved($1)
 ')
 
 ########################################
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 26d4927..d10ae16 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -335,6 +335,40 @@ interface(`systemd_resolved_write_pid_sock_files',`
 	write_sock_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
 ')
 
+########################################
+## <summary>
+##	Create objects in /var/run/systemd/resolve with a private
+##	type using a type_transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="file_type">
+##	<summary>
+##	Private file type.
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Object classes to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`systemd_resolved_pid_filetrans',`
+	gen_require(`
+		type systemd_resolved_var_run_t;
+	')
+
+	filetrans_pattern($1, systemd_resolved_var_run_t, $2, $3, $4)
+')
+
 ######################################
 ## <summary>
 ##	Read systemd_login PID files.
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 332d716..c806b29 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1071,9 +1071,7 @@ dev_write_kmsg(systemd_resolved_t)
 dev_read_sysfs(systemd_resolved_t)
 
 sysnet_manage_config(systemd_resolved_t)
-sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "resolv.conf")
-sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "stub-resolv.conf")
-sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "resolv.conf.tmp")
+sysnet_filetrans_systemd_resolved(systemd_resolved_t)
 
 systemd_read_efivarfs(systemd_resolved_t)
 
-- 
1.8.3.1
backport some upstream patches 2021-05-31 16:38:15 +08:00			`From bc79683118e529a8325fd229840915efe30c3f48 Mon Sep 17 00:00:00 2001`
			`From: Ondrej Mosnacek <omosnace@redhat.com>`
			`Date: Mon, 3 Aug 2020 14:49:31 +0200`
			`Reference: https://github.com/fedora-selinux/selinux-policy/commit/bc79683118e529a8325fd229840915efe30c3f48`
			`Conflict: NA`
			`Subject: [PATCH] sysnetwork.if: avoid directly referencing`
			`systemd_resolved_var_run_t`

			`Instead create a systemd_resolved_pid_filetrans() interface in`
			`systemd.if and use that. Also used a unified interface for adding these`
			`transitions in sysnet_filetrans_named_content() and directly in the`
			`systemd module.`

			`Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>`
			`---`
			`policy/modules/system/sysnetwork.if \| 36 +++++++++++++++++++++++++++---------`
			`policy/modules/system/systemd.if \| 34 ++++++++++++++++++++++++++++++++++`
			`policy/modules/system/systemd.te \| 4 +---`
			`3 files changed, 62 insertions(+), 12 deletions(-)`

			`diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if`
			`index 10172d6..d7b696b 100644`
			`--- a/policy/modules/system/sysnetwork.if`
			`+++ b/policy/modules/system/sysnetwork.if`
			@@ -1127,6 +1127,29 @@ interface(`sysnet_role_transition_dhcpc',`

			`########################################`
			`## <summary>`
			`+## Set up filename transitions for systemd-resolved network`
			`+## configuration content.`
			`+## </summary>`
			`+## <param name="domain">`
			`+## <summary>`
			`+## Domain allowed access.`
			`+## </summary>`
			`+## </param>`
			`+#`
			+interface(`sysnet_filetrans_systemd_resolved',`
			+ gen_require(`
			`+ type net_conf_t;`
			`+ ')`
			`+`
			+ optional_policy(`
			`+ systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf")`
			`+ systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp")`
			`+ systemd_resolved_pid_filetrans($1, net_conf_t, file, "stub-resolv.conf")`
			`+ ')`
			`+')`
			`+`
			`+########################################`
			`+## <summary>`
			`## Transition to sysnet named content`
			`## </summary>`
			`## <param name="domain">`
			@@ -1138,7 +1161,6 @@ interface(`sysnet_role_transition_dhcpc',`
			interface(`sysnet_filetrans_named_content',`
			gen_require(`
			`type net_conf_t;`
			`- type systemd_resolved_var_run_t;`
			`')`

			`files_etc_filetrans($1, net_conf_t, file, "resolv.conf")`
			@@ -1160,15 +1182,11 @@ interface(`sysnet_filetrans_named_content',`
			`init_pid_filetrans($1, net_conf_t, dir, "network")`

			optional_policy(`
			`- networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf")`
			`- networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp")`
			`- ')`
			`+ networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf")`
			`+ networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp")`
			`+ ')`

			- optional_policy(`
			`- sysnet_filetrans_config_fromdir($1,systemd_resolved_var_run_t, file, "resolv.conf")`
			`- sysnet_filetrans_config_fromdir($1,systemd_resolved_var_run_t, file, "resolv.conf.tmp")`
			`- sysnet_filetrans_config_fromdir($1,systemd_resolved_var_run_t, file, "stub-resolv.conf")`
			`- ')`
			`+ sysnet_filetrans_systemd_resolved($1)`
			`')`

			`########################################`
			`diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if`
			`index 26d4927..d10ae16 100644`
			`--- a/policy/modules/system/systemd.if`
			`+++ b/policy/modules/system/systemd.if`
			@@ -335,6 +335,40 @@ interface(`systemd_resolved_write_pid_sock_files',`
			`write_sock_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t)`
			`')`

			`+########################################`
			`+## <summary>`
			`+## Create objects in /var/run/systemd/resolve with a private`
			`+## type using a type_transition.`
			`+## </summary>`
			`+## <param name="domain">`
			`+## <summary>`
			`+## Domain allowed access.`
			`+## </summary>`
			`+## </param>`
			`+## <param name="file_type">`
			`+## <summary>`
			`+## Private file type.`
			`+## </summary>`
			`+## </param>`
			`+## <param name="class">`
			`+## <summary>`
			`+## Object classes to be created.`
			`+## </summary>`
			`+## </param>`
			`+## <param name="name" optional="true">`
			`+## <summary>`
			`+## The name of the object being created.`
			`+## </summary>`
			`+## </param>`
			`+#`
			+interface(`systemd_resolved_pid_filetrans',`
			+ gen_require(`
			`+ type systemd_resolved_var_run_t;`
			`+ ')`
			`+`
			`+ filetrans_pattern($1, systemd_resolved_var_run_t, $2, $3, $4)`
			`+')`
			`+`
			`######################################`
			`## <summary>`
			`## Read systemd_login PID files.`
			`diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te`
			`index 332d716..c806b29 100644`
			`--- a/policy/modules/system/systemd.te`
			`+++ b/policy/modules/system/systemd.te`
			`@@ -1071,9 +1071,7 @@ dev_write_kmsg(systemd_resolved_t)`
			`dev_read_sysfs(systemd_resolved_t)`

			`sysnet_manage_config(systemd_resolved_t)`
			`-sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "resolv.conf")`
			`-sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "stub-resolv.conf")`
			`-sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "resolv.conf.tmp")`
			`+sysnet_filetrans_systemd_resolved(systemd_resolved_t)`

			`systemd_read_efivarfs(systemd_resolved_t)`

			`--`
			`1.8.3.1`