systemd-resolvd, sessions, and tmpfiles take2

I believe that I have addressed all the issues Chris raised, so here's a newer
version of the patch which applies to today's git version.

Description: systemd-resolved, sessions, and tmpfiles patches
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-03-26

13 files changed, 423 insertions, 10 deletions

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 0d6fe3c56..9d7a929ab 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2835,6 +2835,24 @@ interface(`files_manage_etc_dirs',`
 
 ########################################
 ## <summary>
+##	Relabel directories to etc_t.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabelto_etc_dirs',`
+	gen_require(`
+		type etc_t;
+	')
+
+	allow $1 etc_t:dir relabelto;
+')
+
+########################################
+## <summary>
 ##	Read generic files in /etc.
 ## </summary>
 ## <desc>
@@ -3813,6 +3831,24 @@ interface(`files_relabelto_home',`
 
 ########################################
 ## <summary>
+##	Relabel from user home root (/home).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabelfrom_home',`
+	gen_require(`
+		type home_root_t;
+	')
+
+	allow $1 home_root_t:dir relabelfrom;
+')
+
+########################################
+## <summary>
 ##	Create objects in /home.
 ## </summary>
 ## <param name="domain">
@@ -5500,6 +5536,24 @@ interface(`files_manage_var_dirs',`
 
 ########################################
 ## <summary>
+##	relabelto/from var directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabel_var_dirs',`
+	gen_require(`
+		type var_t;
+	')
+
+	allow $1 var_t:dir { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
 ##	Read files in the /var directory.
 ## </summary>
 ## <param name="domain">
@@ -5767,6 +5821,44 @@ interface(`files_rw_var_lib_dirs',`
 
 ########################################
 ## <summary>
+##	manage var_lib_t dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_var_lib_dirs',`
+	gen_require(`
+		type var_t, var_lib_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_lib_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	relabel var_lib_t dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabel_var_lib_dirs',`
+	gen_require(`
+		type var_t, var_lib_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	allow $1 var_lib_t:dir { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
 ##	Create objects in the /var/lib directory
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 9f911efdb..10001b152 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.23.7)
+policy_module(files, 1.23.8)
 
 ########################################
 #
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 060adbfab..eae74b67b 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -700,6 +700,42 @@ interface(`xserver_rw_console',`
 
 ########################################
 ## <summary>
+##      Create the X windows console named pipes.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`xserver_create_console_pipes',`
+	gen_require(`
+		type xconsole_device_t;
+	')
+
+	allow $1 xconsole_device_t:fifo_file create;
+')
+
+########################################
+## <summary>
+##      relabel the X windows console named pipes.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`xserver_relabel_console_pipes',`
+	gen_require(`
+		type xconsole_device_t;
+	')
+
+	allow $1 xconsole_device_t:fifo_file { getattr relabelfrom relabelto };
+')
+
+########################################
+## <summary>
 ##	Use file descriptors for xdm.
 ## </summary>
 ## <param name="domain">
@@ -788,7 +824,7 @@ interface(`xserver_dbus_chat_xdm',`
 	gen_require(`
 		type xdm_t;
 		class dbus send_msg;
-        ')
+	')
 
 	allow $1 xdm_t:dbus send_msg;
 	allow xdm_t $1:dbus send_msg;
@@ -1164,6 +1200,24 @@ interface(`xserver_read_xkb_libs',`
 
 ########################################
 ## <summary>
+##      Create xdm temporary directories.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to allow access.
+##      </summary>
+## </param>
+#
+interface(`xserver_create_xdm_tmp_dirs',`
+	gen_require(`
+		type xdm_tmp_t;
+	')
+
+	allow $1 xdm_tmp_t:dir create;
+')
+
+########################################
+## <summary>
 ##	Read xdm temporary files.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 9bfbafcb4..5750e14ea 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.13.4)
+policy_module(xserver, 3.13.5)
 
 gen_require(`
 	class x_drawable all_x_drawable_perms;
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 195c5fa33..9b07a6e74 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1086,6 +1086,24 @@ interface(`init_list_var_lib_dirs',`
 
 ########################################
 ## <summary>
+##	Relabel dirs in /var/lib/systemd/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_relabel_var_lib_dirs',`
+	gen_require(`
+		type init_var_lib_t;
+	')
+
+	allow $1 init_var_lib_t:dir { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
 ##	Manage files in /var/lib/systemd/.
 ## </summary>
 ## <param name="domain">
@@ -2529,6 +2547,24 @@ interface(`init_manage_utmp',`
 
 ########################################
 ## <summary>
+##	Relabel utmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_relabel_utmp',`
+	gen_require(`
+		type initrc_var_run_t;
+	')
+
+	allow $1 initrc_var_run_t:file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
 ##	Create files in /var/run with the
 ##	utmp file type.
 ## </summary>
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 9a5ed6f8d..dfde3f39a 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.2.12)
+policy_module(init, 2.2.13)
 
 gen_require(`
 	class passwd rootok;
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 66da3da39..b2053a0b1 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -435,6 +435,82 @@ interface(`logging_domtrans_syslog',`
 
 ########################################
 ## <summary>
+##	Set the attributes of syslog temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_setattr_syslogd_tmp_files',`
+	gen_require(`
+		type syslogd_tmp_t;
+	')
+
+	allow $1 syslogd_tmp_t:file setattr;
+')
+
+########################################
+## <summary>
+##	Relabel to and from syslog temporary file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_relabel_syslogd_tmp_files',`
+	gen_require(`
+		type syslogd_tmp_t;
+	')
+
+	allow $1 syslogd_tmp_t:file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+##	Set the attributes of syslog temporary directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_setattr_syslogd_tmp_dirs',`
+	gen_require(`
+		type syslogd_tmp_t;
+	')
+
+	allow $1 syslogd_tmp_t:dir setattr;
+')
+
+########################################
+## <summary>
+##	Relabel to and from syslog temporary directory type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_relabel_syslogd_tmp_dirs',`
+	gen_require(`
+		type syslogd_tmp_t;
+	')
+
+	allow $1 syslogd_tmp_t:dir { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
 ##	Create an object in the log directory, with a private type.
 ## </summary>
 ## <desc>
@@ -941,6 +1017,46 @@ interface(`logging_manage_all_logs',`
 
 ########################################
 ## <summary>
+##	Create, read, write, and delete generic log directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_manage_generic_log_dirs',`
+	gen_require(`
+		type var_log_t;
+	')
+
+	files_search_var($1)
+	allow $1 var_log_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Relabel from and to generic log directory type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_relabel_generic_log_dirs',`
+	gen_require(`
+		type var_log_t;
+	')
+
+	files_search_var($1)
+	allow $1 var_log_t:dir { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
 ##	Read generic log files.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 63e7092df..e5864342b 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.25.8)
+policy_module(logging, 1.25.9)
 
 ########################################
 #
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 5b9a81037..204390d19 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -652,6 +652,25 @@ interface(`miscfiles_manage_man_cache',`
 
 ########################################
 ## <summary>
+##      Relabel from and to man cache.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`miscfiles_relabel_man_cache',`
+	gen_require(`
+		type man_cache_t;
+	')
+
+	relabel_dirs_pattern($1, man_cache_t, man_cache_t)
+	relabel_files_pattern($1, man_cache_t, man_cache_t)
+')
+
+########################################
+## <summary>
 ##	Read public files used for file
 ##	transfer services.
 ## </summary>
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index ec4d8dc07..3b180a361 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -1,4 +1,4 @@
-policy_module(miscfiles, 1.12.1)
+policy_module(miscfiles, 1.12.2)
 
 ########################################
 #
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index f5af4ce4e..e1f4c3a72 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.3.13)
+policy_module(systemd, 1.3.14)
 
 #########################################
 #
@@ -613,9 +613,18 @@ optional_policy(`
 # Sessions local policy
 #
 
+allow systemd_sessions_t self:process setfscreate;
+
 allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
 files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
 
+selinux_get_enforce_mode(systemd_sessions_t)
+selinux_get_fs_mount(systemd_sessions_t)
+
+seutil_read_config(systemd_sessions_t)
+seutil_read_default_contexts(systemd_sessions_t)
+seutil_read_file_contexts(systemd_sessions_t)
+
 systemd_log_parse_environment(systemd_sessions_t)
 
 #########################################
@@ -623,9 +632,14 @@ systemd_log_parse_environment(systemd_sessions_t)
 # Tmpfiles local policy
 #
 
-allow systemd_tmpfiles_t self:capability  { chown dac_override fowner fsetid mknod };
+allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod net_admin sys_admin };
 allow systemd_tmpfiles_t self:process { setfscreate getcap };
 
+allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { relabelfrom relabelto manage_dir_perms };
+allow systemd_tmpfiles_t systemd_coredump_var_lib_t:file manage_file_perms;
+
+allow systemd_tmpfiles_t systemd_sessions_var_run_t:file { relabelfrom relabelto manage_file_perms };
+
 manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
 manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
 allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto };
@@ -635,25 +649,74 @@ allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
 allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
 
 kernel_read_kernel_sysctls(systemd_tmpfiles_t)
+kernel_read_network_state(systemd_tmpfiles_t)
 
+dev_manage_all_dev_nodes(systemd_tmpfiles_t)
+dev_read_urand(systemd_tmpfiles_t)
 dev_relabel_all_sysfs(systemd_tmpfiles_t)
 dev_read_urand(systemd_tmpfiles_t)
 dev_manage_all_dev_nodes(systemd_tmpfiles_t)
 
+files_create_lock_dirs(systemd_tmpfiles_t)
+files_manage_all_pid_dirs(systemd_tmpfiles_t)
+files_delete_usr_files(systemd_tmpfiles_t)
+files_list_home(systemd_tmpfiles_t)
+files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
+files_manage_var_dirs(systemd_tmpfiles_t)
+files_manage_var_lib_dirs(systemd_tmpfiles_t)
+files_purge_tmp(systemd_tmpfiles_t)
 files_read_etc_files(systemd_tmpfiles_t)
 files_relabel_all_lock_dirs(systemd_tmpfiles_t)
 files_relabel_all_pid_dirs(systemd_tmpfiles_t)
 files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
+files_relabel_var_dirs(systemd_tmpfiles_t)
+files_relabel_var_lib_dirs(systemd_tmpfiles_t)
+files_relabelfrom_home(systemd_tmpfiles_t)
+files_relabelto_home(systemd_tmpfiles_t)
+files_relabelto_etc_dirs(systemd_tmpfiles_t)
+# for /etc/mtab
+files_manage_etc_symlinks(systemd_tmpfiles_t)
 
-auth_manage_var_auth(systemd_tmpfiles_t)
+fs_getattr_xattr_fs(systemd_tmpfiles_t)
+
+selinux_get_fs_mount(systemd_tmpfiles_t)
+selinux_search_fs(systemd_tmpfiles_t)
+
+auth_manage_faillog(systemd_tmpfiles_t)
 auth_manage_login_records(systemd_tmpfiles_t)
+auth_manage_var_auth(systemd_tmpfiles_t)
 auth_relabel_login_records(systemd_tmpfiles_t)
 auth_setattr_login_records(systemd_tmpfiles_t)
 
+init_manage_utmp(systemd_tmpfiles_t)
+init_manage_var_lib_files(systemd_tmpfiles_t)
+# for /proc/1/environ
+init_read_state(systemd_tmpfiles_t)
+
+init_relabel_utmp(systemd_tmpfiles_t)
+init_relabel_var_lib_dirs(systemd_tmpfiles_t)
+
+logging_manage_generic_logs(systemd_tmpfiles_t)
+logging_manage_generic_log_dirs(systemd_tmpfiles_t)
+logging_relabel_generic_log_dirs(systemd_tmpfiles_t)
+logging_relabel_syslogd_tmp_files(systemd_tmpfiles_t)
+logging_relabel_syslogd_tmp_dirs(systemd_tmpfiles_t)
+logging_setattr_syslogd_tmp_files(systemd_tmpfiles_t)
+logging_setattr_syslogd_tmp_dirs(systemd_tmpfiles_t)
+
+miscfiles_manage_man_pages(systemd_tmpfiles_t)
+miscfiles_relabel_man_cache(systemd_tmpfiles_t)
+
+seutil_read_config(systemd_tmpfiles_t)
 seutil_read_file_contexts(systemd_tmpfiles_t)
 
+sysnet_create_config(systemd_tmpfiles_t)
+
 systemd_log_parse_environment(systemd_tmpfiles_t)
 
+userdom_manage_user_runtime_root_dirs(systemd_tmpfiles_t)
+userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t)
+
 tunable_policy(`systemd_tmpfiles_manage_all',`
 	# systemd-tmpfiles can be configured to manage anything.
 	# have a last-resort option for users to do this.
@@ -662,3 +725,18 @@ tunable_policy(`systemd_tmpfiles_manage_all',`
 	files_relabel_non_security_dirs(systemd_tmpfiles_t)
 	files_relabel_non_security_files(systemd_tmpfiles_t)
 ')
+
+optional_policy(`
+	dbus_read_lib_files(systemd_tmpfiles_t)
+')
+
+optional_policy(`
+	xfs_create_tmp_dirs(systemd_tmpfiles_t)
+')
+
+optional_policy(`
+	xserver_create_console_pipes(systemd_tmpfiles_t)
+	xserver_create_xdm_tmp_dirs(systemd_tmpfiles_t)
+	xserver_relabel_console_pipes(systemd_tmpfiles_t)
+	xserver_setattr_console_pipes(systemd_tmpfiles_t)
+')
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 610651185..50100dd15 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2946,6 +2946,24 @@ interface(`userdom_manage_user_runtime_root_dirs',`
 
 ########################################
 ## <summary>
+##	Relabel to and from user runtime root dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_relabel_user_runtime_root_dirs',`
+	gen_require(`
+		type user_runtime_root_t;
+	')
+
+	allow $1 user_runtime_root_t:dir { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete user
 ##	runtime dirs.
 ## </summary>
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index cf58bd279..0cbf3cec2 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.13.5)
+policy_module(userdomain, 4.13.6)
 
 ########################################
 #