selinux-policy/backport-Allow-some-domains-use-sd_notify.patch

From 033c1ffb7c25c218f35ac5053d7f3a482c7df6af Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 14 Jul 2022 10:30:12 +0200
Subject: [PATCH] Allow some domains use sd_notify()

Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/033c1ffb7c25c218f35ac5053d7f3a482c7df6af
Conflict: NA

sd_notify() and a few similar systemd library functions may be called by
a service to notify the service manager about state changes. It can be
used to send arbitrary information. Most importantly, it can be used for
start-up completion notification.

With this commit, all types in the daemon and login_userdomain
attributes and unconfined_service_t can connect to init (PID 1) and
init can write back to the fifo_file created by the domain.

Resolves: rhbz#1903305
Signed-off-by: lujie54 <lujie54@huawei.com>
---
 policy/modules/system/init.if       | 21 +++++++++++++++++++++
 policy/modules/system/init.te       |  2 ++
 policy/modules/system/unconfined.te |  2 ++
 policy/modules/system/userdomain.te |  2 ++
 4 files changed, 27 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 4b3bb59..c07649b 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -3000,6 +3000,27 @@ interface(`init_rw_tcp_sockets',`
     allow $1 init_t:tcp_socket { read write getattr };
 ')
 
+#######################################
+## <summary>
+##	Use sd_notify
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_use_notify',`
+	gen_require(`
+		type init_t, init_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
+	allow $1 init_var_run_t:sock_file read_sock_file_perms;
+	allow init_t $1:fifo_file write_fifo_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Get the system status information from init
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 073ce2c..e4bc96f 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1335,6 +1335,8 @@ ifdef(`distro_suse',`
 
 domain_dontaudit_use_interactive_fds(daemon)
 
+init_use_notify(daemon)
+
 userdom_dontaudit_list_admin_dir(daemon)
 userdom_dontaudit_search_user_tmp(daemon)
 
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index ed03aad..4da1290 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -20,6 +20,8 @@ role unconfined_r types unconfined_service_t;
 corecmd_bin_entry_type(unconfined_service_t)
 corecmd_shell_entry_type(unconfined_service_t)
 
+init_use_notify(unconfined_service_t)
+
 optional_policy(`
 	rpm_transition_script(unconfined_service_t, system_r)
 ')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 3ac8c12..0980247 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -400,6 +400,8 @@ files_watch_generic_tmp_dirs(login_userdomain)
 fs_create_cgroup_files(login_userdomain)
 fs_watch_cgroup_files(login_userdomain)
 
+init_use_notify(login_userdomain)
+
 libs_watch_lib_dirs(login_userdomain)
 
 miscfiles_watch_fonts_dirs(login_userdomain)
-- 
1.8.3.1