From bc79683118e529a8325fd229840915efe30c3f48 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Mon, 3 Aug 2020 14:49:31 +0200
Reference: https://github.com/fedora-selinux/selinux-policy/commit/bc79683118e529a8325fd229840915efe30c3f48
Conflict: NA
Subject: [PATCH] sysnetwork.if: avoid directly referencing
 systemd_resolved_var_run_t

Instead create a systemd_resolved_pid_filetrans() interface in
systemd.if and use that. Also used a unified interface for adding these
transitions in sysnet_filetrans_named_content() and directly in the
systemd module.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/modules/system/sysnetwork.if | 36 +++++++++++++++++++++++++++---------
 policy/modules/system/systemd.if    | 34 ++++++++++++++++++++++++++++++++++
 policy/modules/system/systemd.te    |  4 +---
 3 files changed, 62 insertions(+), 12 deletions(-)

diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 10172d6..d7b696b 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -1127,6 +1127,29 @@ interface(`sysnet_role_transition_dhcpc',`
 
 ########################################
 ## <summary>
+##	Set up filename transitions for systemd-resolved network
+##	configuration content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_filetrans_systemd_resolved',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+	optional_policy(`
+		systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf")
+		systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
+		systemd_resolved_pid_filetrans($1, net_conf_t, file, "stub-resolv.conf")
+	')
+')
+
+########################################
+## <summary>
 ##	Transition to sysnet named content
 ## </summary>
 ## <param name="domain">
@@ -1138,7 +1161,6 @@ interface(`sysnet_role_transition_dhcpc',`
 interface(`sysnet_filetrans_named_content',`
 	gen_require(`
 		type net_conf_t;
-		type systemd_resolved_var_run_t;
 	')
 
 	files_etc_filetrans($1, net_conf_t, file, "resolv.conf")
@@ -1160,15 +1182,11 @@ interface(`sysnet_filetrans_named_content',`
 	init_pid_filetrans($1, net_conf_t, dir, "network")
 
 	optional_policy(`
-	    networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf")
-	    networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
-    ')
+		networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf")
+		networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
+	')
 
-    optional_policy(`
-        sysnet_filetrans_config_fromdir($1,systemd_resolved_var_run_t, file, "resolv.conf")
-        sysnet_filetrans_config_fromdir($1,systemd_resolved_var_run_t, file, "resolv.conf.tmp")
-        sysnet_filetrans_config_fromdir($1,systemd_resolved_var_run_t, file, "stub-resolv.conf")
-    ')
+	sysnet_filetrans_systemd_resolved($1)
 ')
 
 ########################################
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 26d4927..d10ae16 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -335,6 +335,40 @@ interface(`systemd_resolved_write_pid_sock_files',`
 	write_sock_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
 ')
 
+########################################
+## <summary>
+##	Create objects in /var/run/systemd/resolve with a private
+##	type using a type_transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="file_type">
+##	<summary>
+##	Private file type.
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Object classes to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`systemd_resolved_pid_filetrans',`
+	gen_require(`
+		type systemd_resolved_var_run_t;
+	')
+
+	filetrans_pattern($1, systemd_resolved_var_run_t, $2, $3, $4)
+')
+
 ######################################
 ## <summary>
 ##	Read systemd_login PID files.
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 332d716..c806b29 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1071,9 +1071,7 @@ dev_write_kmsg(systemd_resolved_t)
 dev_read_sysfs(systemd_resolved_t)
 
 sysnet_manage_config(systemd_resolved_t)
-sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "resolv.conf")
-sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "stub-resolv.conf")
-sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "resolv.conf.tmp")
+sysnet_filetrans_systemd_resolved(systemd_resolved_t)
 
 systemd_read_efivarfs(systemd_resolved_t)
 
-- 
1.8.3.1