Add policy for systemd-homed

dist/targeted/modules.conf

@@ -3077,3 +3077,10 @@ afterburn = module
 # sap
 #
 sap = module
+
+# Layer: system
+# Module: systemd-homed
+#
+# Policy for systemd-homed
+#
+systemd-homed = module

policy/modules/contrib/colord.te

@@ -100,6 +100,7 @@ domain_use_interactive_fds(colord_t)
 files_list_mnt(colord_t)
 files_watch_usr_dirs(colord_t)
 files_map_var_lib_files(colord_t)
+files_mmap_isid_files(colord_t)
 files_read_var_lib_files(colord_t)
 
 fs_getattr_all_fs(colord_t)

policy/modules/contrib/dbus.te

@@ -229,6 +229,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	systemd_homed_write_pipes(system_dbusd_t)
 	systemd_status_systemd_services(system_dbusd_t)
 	systemd_use_fds_logind(system_dbusd_t)
 	systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)

policy/modules/contrib/policykit.te

@@ -125,6 +125,10 @@ optional_policy(`
 		devicekit_dbus_chat(policykit_t)
 	')
 
+	optional_policy(`
+		systemd_homed_dbus_chat(policykit_t)
+	')
+
 	optional_policy(`
 		rhsmcertd_dbus_chat(policykit_t)
 	')

policy/modules/contrib/virt.te

@@ -2280,6 +2280,7 @@ optional_policy(`
 
 optional_policy(`
 	systemd_dbus_chat_machined(virtqemud_t)
+	systemd_homed_stream_connect(virtqemud_t)
 ')
 
 optional_policy(`

policy/modules/kernel/files.if

@@ -4848,6 +4848,25 @@ interface(`files_manage_isid_type_dirs',`
 	allow $1 unlabeled_t:dir manage_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Map files on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_mmap_isid_files',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:file { getattr map };
+')
+
 ########################################
 ## <summary>
 ##	Mount a filesystem on a directory on new filesystems
@@ -5249,6 +5268,24 @@ interface(`files_create_home_dir',`
 	create_dirs_pattern($1, home_root_t, home_root_t)
 ')
 
+########################################
+## <summary>
+## 	Delete /home directories
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`files_delete_home_dir',`
+	gen_require(`
+		type home_root_t;
+	')
+
+	delete_dirs_pattern($1, home_root_t, home_root_t)
+')
+
 ########################################
 ## <summary>
 ##	Search home directories root (/home).

policy/modules/services/xserver.te

@@ -1154,6 +1154,12 @@ optional_policy(`
     sssd_read_pid_files(xdm_t)
 ')
 
+optional_policy(`
+    systemd_homed_write_pid_sock_files(xdm_t)
+    systemd_homed_write_pipes(xdm_t)
+    systemd_homed_dbus_chat(xdm_t)
+')
+
 optional_policy(`
 	telepathy_exec(xdm_t)
 ')

policy/modules/system/authlogin.te

@@ -572,6 +572,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	systemd_homed_stream_connect(nsswitch_domain)
 	systemd_userdbd_stream_connect(nsswitch_domain)
 	systemd_machined_stream_connect(nsswitch_domain)
 ')

policy/modules/system/fstools.if

@@ -19,6 +19,24 @@ interface(`fstools_domtrans',`
 	domtrans_pattern($1, fsadm_exec_t, fsadm_t)
 ')
 
+########################################
+## <summary>
+##	NNP Transition to fstools.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`fstools_nnp_domtrans',`
+	gen_require(`
+		type fsadm_t;
+	')
+	allow $1 fsadm_t:process2 nnp_transition;
+
+')
+
 ########################################
 ## <summary>
 ##	Execute fs tools in the fstools domain, and

policy/modules/system/init.te

@@ -815,6 +815,7 @@ optional_policy(`
 	optional_policy(`
 		devicekit_dbus_chat_power(init_t)
 	')
+
 ')
 
 optional_policy(`
@@ -877,6 +878,11 @@ optional_policy(`
 	stratisd_data_read_lnk_files(init_t)
 ')
 
+optional_policy(`
+	systemd_homed_dbus_chat(init_t)
+	systemd_homed_write_pipes(init_t)
+')
+
 optional_policy(`
 	systemd_filetrans_named_content(init_t)
     systemd_write_inhibit_pipes(init_t)

policy/modules/system/systemd-homed.fc

@@ -0,0 +1,22 @@
+#
+# homed file context
+#
+
+/run/systemd/home/(.+)\.dont-suspend                      -p  gen_context(system_u:object_r:systemd_homed_runtime_pipe_t,s0)
+/run/systemd/home/notify                                  -s  gen_context(system_u:object_r:systemd_homed_runtime_socket_t,s0)
+/run/systemd/home                                         -d  gen_context(system_u:object_r:systemd_homed_runtime_dir_t,s0)
+/run/systemd/user-home-mount                              -d  gen_context(system_u:object_r:systemd_homed_runtime_work_dir_t,s0)
+
+/usr/lib/systemd/systemd-homed                            --  gen_context(system_u:object_r:systemd_homed_exec_t,s0)
+/usr/lib/systemd/systemd-homework                         --  gen_context(system_u:object_r:systemd_homework_exec_t,s0)
+/usr/lib/systemd/system/systemd-homed-activate\.service   --  gen_context(system_u:object_r:systemd_homed_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-homed\.service            --  gen_context(system_u:object_r:systemd_homed_unit_file_t,s0)
+
+/var/lib/systemd/home/(.+)\.identity                      --  gen_context(system_u:object_r:systemd_homed_record_t,s0)
+/var/lib/systemd/home/local\.private                      --  gen_context(system_u:object_r:systemd_homed_record_t,s0)
+/var/lib/systemd/home/(.+)\.public                        --  gen_context(system_u:object_r:systemd_homed_record_t,s0)
+/var/lib/systemd/home/local\.public                       --  gen_context(system_u:object_r:systemd_homed_record_t,s0)
+/var/lib/systemd/home                                     -d  gen_context(system_u:object_r:systemd_homed_library_dir_t,s0)
+
+HOME_DIR/\.identity                                       --  gen_context(system_u:object_r:systemd_homed_record_t,s0)
+HOME_ROOT/(.+)\.home                                      --  gen_context(system_u:object_r:systemd_homed_crypto_luks_t,s0)

policy/modules/system/systemd-homed.if

@@ -0,0 +1,80 @@
+## <summary>SELinux policy for systemd-homed components</summary>
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	systemd homed over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_homed_dbus_chat',`
+	gen_require(`
+		type systemd_homed_t;
+		class dbus send_msg;
+	')
+
+	allow $1 systemd_homed_t:dbus send_msg;
+	allow systemd_homed_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to connect to
+##	systemd homed with a unix socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_homed_stream_connect',`
+	gen_require(`
+		type systemd_homed_t;
+	')
+
+	allow $1 systemd_homed_t:unix_stream_socket connectto;
+')
+
+#######################################
+## <summary>
+##	Write to systemd_homed PID socket files.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`systemd_homed_write_pid_sock_files',`
+    gen_require(`
+        type systemd_homed_runtime_dir_t;
+        type systemd_homed_runtime_socket_t;
+    ')
+
+	write_sock_files_pattern($1, systemd_homed_runtime_dir_t, systemd_homed_runtime_socket_t)
+')
+
+######################################
+## <summary>
+##	Write systemd homed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_homed_write_pipes',`
+	gen_require(`
+		type systemd_homed_runtime_dir_t;
+		type systemd_homed_runtime_pipe_t;
+	')
+
+	write_fifo_files_pattern($1, systemd_homed_runtime_dir_t, systemd_homed_runtime_pipe_t)
+')
+