Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
From:   Dominick Grift <dominick.grift@defensec.nl>
To:     Russell Coker <russell@coker.com.au>
Cc:     selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] little misc patches
References: <YBoiGu2yVwv39Qnh@xev>
Date:   Wed, 03 Feb 2021 18:50:55 +0100
In-Reply-To: <YBoiGu2yVwv39Qnh@xev> (Russell Coker's message of "Wed, 3 Feb
        2021 15:10:02 +1100")
Message-ID: <ypjlsg6dqbuo.fsf@defensec.nl>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Precedence: bulk

Russell Coker <russell@coker.com.au> writes:

> More little misc patches.
>
> Signed-off-by: Russell Coker <russell@coker.com.au>
>
> Index: refpolicy-2.20210203/policy/modules/admin/acct.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/admin/acct.te
> +++ refpolicy-2.20210203/policy/modules/admin/acct.te
> @@ -57,6 +57,7 @@ init_use_fds(acct_t)
>  init_use_script_ptys(acct_t)
>  init_exec_script_files(acct_t)
>  
> +logging_search_logs(acct_t)
>  logging_send_syslog_msg(acct_t)
>  
>  miscfiles_read_localization(acct_t)
> Index: refpolicy-2.20210203/policy/modules/admin/bootloader.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/admin/bootloader.te
> +++ refpolicy-2.20210203/policy/modules/admin/bootloader.te
> @@ -44,6 +44,7 @@ dev_node(bootloader_tmp_t)
>  allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod setgid sys_admin sys_rawio };
>  allow bootloader_t self:process { signal_perms execmem };
>  allow bootloader_t self:fifo_file rw_fifo_file_perms;
> +allow bootloader_t self:netlink_selinux_socket
>  connected_socket_perms;

this can be dontaudited (or even just removed) because the status_page api falls back to this if the
file cannot be mapped, but since you allow the map below this is not
needed and so this should no longer be triggered

>  
>  allow bootloader_t bootloader_etc_t:file read_file_perms;
>  # uncomment the following lines if you use "lilo -p"
> @@ -61,6 +62,7 @@ allow bootloader_t bootloader_tmp_t:dir
>  files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
>  
>  kernel_getattr_core_if(bootloader_t)
> +kernel_read_crypto_sysctls(bootloader_t)
>  kernel_read_network_state(bootloader_t)
>  kernel_read_system_state(bootloader_t)
>  kernel_read_software_raid_state(bootloader_t)
> @@ -152,8 +154,12 @@ miscfiles_read_localization(bootloader_t
>  
>  mount_rw_runtime_files(bootloader_t)
>  
> +selinux_get_enforce_mode(bootloader_t)
>  selinux_getattr_fs(bootloader_t)
> +selinux_search_fs(bootloader_t)
> +selinux_use_status_page(bootloader_t)
>  seutil_read_bin_policy(bootloader_t)
> +seutil_read_config(bootloader_t)
>  seutil_read_file_contexts(bootloader_t)
>  seutil_read_loadpolicy(bootloader_t)
>  seutil_dontaudit_search_config(bootloader_t)
> Index: refpolicy-2.20210203/policy/modules/admin/brctl.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/admin/brctl.te
> +++ refpolicy-2.20210203/policy/modules/admin/brctl.te
> @@ -17,7 +17,7 @@ role brctl_roles types brctl_t;
>  # Local policy
>  #
>  
> -allow brctl_t self:capability net_admin;
> +allow brctl_t self:capability { net_admin sys_module };

use the appropriate interface for loading kernel modules instead

>  allow brctl_t self:fifo_file rw_fifo_file_perms;
>  allow brctl_t self:unix_stream_socket create_stream_socket_perms;
>  allow brctl_t self:unix_dgram_socket create_socket_perms;
> Index: refpolicy-2.20210203/policy/modules/admin/logrotate.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/admin/logrotate.te
> +++ refpolicy-2.20210203/policy/modules/admin/logrotate.te
> @@ -116,6 +116,8 @@ init_dbus_chat(logrotate_t)
>  init_stream_connect(logrotate_t)
>  init_manage_all_units(logrotate_t)
>  
> +libs_exec_lib_files(logrotate_t)

probably a mislabeled file, better to address the labeling issue

> +
>  logging_manage_all_logs(logrotate_t)
>  logging_send_syslog_msg(logrotate_t)
>  logging_send_audit_msgs(logrotate_t)
> Index: refpolicy-2.20210203/policy/modules/apps/cdrecord.fc
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/apps/cdrecord.fc
> +++ refpolicy-2.20210203/policy/modules/apps/cdrecord.fc
> @@ -1,3 +1,4 @@
>  /usr/bin/cdrecord	--	gen_context(system_u:object_r:cdrecord_exec_t,s0)
> +/usr/bin/cdrskin	--	gen_context(system_u:object_r:cdrecord_exec_t,s0)
>  /usr/bin/growisofs	--	gen_context(system_u:object_r:cdrecord_exec_t,s0)
>  /usr/bin/wodim	--	gen_context(system_u:object_r:cdrecord_exec_t,s0)
> Index: refpolicy-2.20210203/policy/modules/apps/games.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/apps/games.te
> +++ refpolicy-2.20210203/policy/modules/apps/games.te
> @@ -92,7 +92,9 @@ optional_policy(`
>  allow games_t self:fifo_file rw_fifo_file_perms;
>  allow games_t self:sem create_sem_perms;
>  allow games_t self:tcp_socket { accept listen };
> +allow games_t self:process getsched;
>  
> +manage_dirs_pattern(games_t, games_data_t, games_data_t)
>  manage_files_pattern(games_t, games_data_t, games_data_t)
>  manage_lnk_files_pattern(games_t, games_data_t, games_data_t)
>  
> @@ -101,6 +103,8 @@ term_create_pty(games_t, games_devpts_t)
>  
>  manage_dirs_pattern(games_t, games_tmp_t, games_tmp_t)
>  manage_files_pattern(games_t, games_tmp_t, games_tmp_t)
> +allow games_t games_tmp_t:file map;
> +
>  files_tmp_filetrans(games_t, games_tmp_t, { file dir })
>  
>  manage_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
> @@ -128,6 +132,8 @@ corenet_tcp_bind_generic_port(games_t)
>  corenet_sendrecv_generic_client_packets(games_t)
>  corenet_tcp_connect_generic_port(games_t)
>  
> +corenet_udp_bind_generic_node(games_t)
> +
>  dev_read_sound(games_t)
>  dev_read_input(games_t)
>  dev_read_mouse(games_t)
> @@ -136,13 +142,16 @@ dev_rw_dri(games_t)
>  dev_write_sound(games_t)
>  
>  files_list_var(games_t)
> +files_search_mnt(games_t)
>  files_search_var_lib(games_t)
>  files_dontaudit_search_var(games_t)
> +files_map_usr_files(games_t)
>  files_read_etc_files(games_t)
>  files_read_usr_files(games_t)
>  files_read_var_files(games_t)
>  
>  fs_dontaudit_getattr_xattr_fs(games_t)
> +fs_search_nfs(games_t)
>  
>  init_dontaudit_rw_utmp(games_t)
>  
> @@ -158,6 +167,7 @@ userdom_manage_user_tmp_dirs(games_t)
>  userdom_manage_user_tmp_files(games_t)
>  userdom_manage_user_tmp_symlinks(games_t)
>  userdom_manage_user_tmp_sockets(games_t)
> +userdom_use_user_ptys(games_t)
>  userdom_dontaudit_read_user_home_content_files(games_t)
>  
>  tunable_policy(`allow_execmem',`
> @@ -166,6 +176,7 @@ tunable_policy(`allow_execmem',`
>  
>  optional_policy(`
>  	alsa_read_config(games_t)
> +	alsa_read_home_files(games_t)
>  ')
>  
>  optional_policy(`
> Index: refpolicy-2.20210203/policy/modules/apps/gpg.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/apps/gpg.te
> +++ refpolicy-2.20210203/policy/modules/apps/gpg.te
> @@ -137,6 +137,7 @@ logging_send_syslog_msg(gpg_t)
>  miscfiles_read_localization(gpg_t)
>  
>  userdom_use_user_terminals(gpg_t)
> +userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
>  
>  userdom_manage_user_tmp_dirs(gpg_t)
>  userdom_manage_user_tmp_files(gpg_t)
> Index: refpolicy-2.20210203/policy/modules/kernel/devices.fc
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/kernel/devices.fc
> +++ refpolicy-2.20210203/policy/modules/kernel/devices.fc
> @@ -137,6 +137,7 @@ ifdef(`distro_suse', `
>  /dev/vhci			-c	gen_context(system_u:object_r:vhost_device_t,s0)
>  /dev/vhost-net		-c	gen_context(system_u:object_r:vhost_device_t,s0)
>  /dev/vhost-scsi		-c	gen_context(system_u:object_r:vhost_device_t,s0)
> +/dev/vhost-vsock	-c	gen_context(system_u:object_r:vhost_device_t,s0)
>  /dev/video.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
>  /dev/vmmon		-c	gen_context(system_u:object_r:vmware_device_t,s0)
>  /dev/vmnet.*		-c	gen_context(system_u:object_r:vmware_device_t,s0)
> Index: refpolicy-2.20210203/policy/modules/roles/sysadm.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/roles/sysadm.te
> +++ refpolicy-2.20210203/policy/modules/roles/sysadm.te
> @@ -41,6 +41,8 @@ allow sysadm_t self:netlink_tcpdiag_sock
>  allow sysadm_t self:capability audit_write;
>  allow sysadm_t self:system status;
>  
> +kernel_request_load_module(sysadm_t)
> +
>  corecmd_exec_shell(sysadm_t)
>  
>  corenet_ib_access_unlabeled_pkeys(sysadm_t)
> @@ -61,6 +63,7 @@ ubac_fd_exempt(sysadm_t)
>  
>  init_exec(sysadm_t)
>  init_admin(sysadm_t)
> +init_rw_stream_sockets(sysadm_t)
>  
>  # Add/remove user home directories
>  userdom_manage_user_home_dirs(sysadm_t)
> Index: refpolicy-2.20210203/policy/modules/roles/unprivuser.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/roles/unprivuser.te
> +++ refpolicy-2.20210203/policy/modules/roles/unprivuser.te
> @@ -29,6 +29,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	ssh_role_template(user, user_r, user_t)
> +')
> +
> +optional_policy(`
>  	vlock_run(user_t, user_r)
>  ')
>  
> @@ -162,10 +166,6 @@ ifndef(`distro_redhat',`
>  	')
>  
>  	optional_policy(`
> -		ssh_role_template(user, user_r, user_t)
> -	')
> -
> -	optional_policy(`
>  		su_role_template(user, user_r, user_t)
>  	')
>  
> Index: refpolicy-2.20210203/policy/modules/system/authlogin.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/authlogin.te
> +++ refpolicy-2.20210203/policy/modules/system/authlogin.te
> @@ -389,6 +389,8 @@ domain_use_interactive_fds(utempter_t)
>  
>  logging_search_logs(utempter_t)
>  
> +term_use_ptmx(utempter_t)
> +
>  userdom_use_user_terminals(utempter_t)
>  # Allow utemper to write to /tmp/.xses-*
>  userdom_write_user_tmp_files(utempter_t)
> @@ -406,6 +408,7 @@ optional_policy(`
>  optional_policy(`
>  	xserver_use_xdm_fds(utempter_t)
>  	xserver_rw_xdm_pipes(utempter_t)
> +	xserver_write_inherited_xsession_log(utempter_t)
>  ')
>  
>  #######################################
> Index: refpolicy-2.20210203/policy/modules/system/init.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/init.if
> +++ refpolicy-2.20210203/policy/modules/system/init.if
> @@ -3498,6 +3498,24 @@ interface(`init_reload_all_units',`
>  	allow $1 { init_script_file_type systemdunit }:service reload;
>  ')
>  
> +#######################################
> +## <summary>
> +##	getattr all systemd unit files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`init_getattr_all_units',`
> +	gen_require(`
> +		attribute systemdunit;
> +	')
> +
> +	allow $1 systemdunit:file getattr;
> +')
> +
>  ########################################
>  ## <summary>
>  ##	Manage systemd unit dirs and the files in them
> Index: refpolicy-2.20210203/policy/modules/system/init.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/init.te
> +++ refpolicy-2.20210203/policy/modules/system/init.te
> @@ -244,7 +244,6 @@ ifdef(`init_systemd',`
>  	allow init_t self:udp_socket create_socket_perms;
>  	allow init_t self:netlink_route_socket create_netlink_socket_perms;
>  	allow init_t initrc_t:unix_dgram_socket create_socket_perms;
> -	allow init_t self:capability2 audit_read;
>  	allow init_t self:key { search setattr write };
>  	allow init_t self:bpf { map_create map_read map_write prog_load prog_run };
>  
> @@ -262,7 +261,7 @@ ifdef(`init_systemd',`
>  
>  	# setexec and setkeycreate for systemd --user
>  	allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setexec setkeycreate setcap setrlimit };
> -	allow init_t self:capability2 { audit_read block_suspend };
> +	allow init_t self:capability2 { audit_read block_suspend bpf perfmon };
>  	allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
>  	allow init_t self:unix_dgram_socket lock;
>  
> @@ -428,6 +427,7 @@ ifdef(`init_systemd',`
>  	miscfiles_watch_localization(init_t)
>  
>  	mount_watch_runtime_dirs(init_t)
> +	mount_watch_runtime_files_reads(init_t)
>  
>  	# systemd_socket_activated policy
>  	mls_socket_write_all_levels(init_t)
> Index: refpolicy-2.20210203/policy/modules/system/logging.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/logging.te
> +++ refpolicy-2.20210203/policy/modules/system/logging.te
> @@ -510,6 +510,7 @@ seutil_read_config(syslogd_t)
>  
>  userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
>  userdom_dontaudit_search_user_home_dirs(syslogd_t)
> +userdom_search_user_runtime_root(syslogd_t)
>  
>  ifdef(`init_systemd',`
>  	# for systemd-journal
> @@ -549,6 +550,8 @@ ifdef(`init_systemd',`
>  	systemd_manage_journal_files(syslogd_t)
>  
>  	udev_read_runtime_files(syslogd_t)
> +	userdom_list_user_tmp(syslogd_t)
> +	userdom_read_user_tmp_symlinks(syslogd_t)
>  ')
>  
>  ifdef(`distro_gentoo',`
> Index: refpolicy-2.20210203/policy/modules/system/lvm.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/lvm.te
> +++ refpolicy-2.20210203/policy/modules/system/lvm.te
> @@ -105,10 +105,13 @@ files_read_etc_files(clvmd_t)
>  files_list_usr(clvmd_t)
>  
>  fs_getattr_all_fs(clvmd_t)
> +fs_getattr_pstore_dirs(lvm_t)
>  fs_search_auto_mountpoints(clvmd_t)
> +fs_search_cgroup_dirs(lvm_t)
>  fs_dontaudit_list_tmpfs(clvmd_t)
>  fs_dontaudit_read_removable_files(clvmd_t)
>  fs_rw_anon_inodefs_files(clvmd_t)
> +fs_search_bpf(lvm_t)
>  
>  storage_dontaudit_getattr_removable_dev(clvmd_t)
>  storage_manage_fixed_disk(clvmd_t)
> @@ -167,7 +170,6 @@ optional_policy(`
>  allow lvm_t self:capability { chown dac_override fowner ipc_lock mknod net_admin sys_admin sys_nice sys_rawio sys_resource };
>  dontaudit lvm_t self:capability sys_tty_config;
>  allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate };
> -# LVM will complain a lot if it cannot set its priority.
>  allow lvm_t self:process setsched;
>  allow lvm_t self:file rw_file_perms;
>  allow lvm_t self:fifo_file manage_fifo_file_perms;
> @@ -298,6 +300,8 @@ selinux_compute_user_contexts(lvm_t)
>  
>  storage_relabel_fixed_disk(lvm_t)
>  storage_dontaudit_read_removable_device(lvm_t)
> +storage_getattr_removable_dev(lvm_t)
> +
>  # LVM creates block devices in /dev/mapper or /dev/<vg>
>  # depending on its version
>  # LVM(2) needs to create directories (/dev/mapper, /dev/<vg>)
> Index: refpolicy-2.20210203/policy/modules/system/modutils.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/modutils.te
> +++ refpolicy-2.20210203/policy/modules/system/modutils.te
> @@ -34,6 +34,7 @@ ifdef(`init_systemd',`
>  #
>  
>  allow kmod_t self:capability { dac_override dac_read_search net_raw sys_nice sys_tty_config };
> +allow kmod_t self:lockdown confidentiality;
>  allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal };
>  # for the radeon/amdgpu modules
>  dontaudit kmod_t self:capability sys_admin;
> Index: refpolicy-2.20210203/policy/modules/system/mount.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/mount.te
> +++ refpolicy-2.20210203/policy/modules/system/mount.te
> @@ -98,12 +98,14 @@ files_list_all_mountpoints(mount_t)
>  files_dontaudit_write_all_mountpoints(mount_t)
>  files_dontaudit_setattr_all_mountpoints(mount_t)
>  
> +fs_getattr_binfmt_misc_fs(mount_t)
>  fs_getattr_xattr_fs(mount_t)
>  fs_getattr_tmpfs(mount_t)
>  fs_getattr_rpc_pipefs(mount_t)
>  fs_getattr_cifs(mount_t)
>  fs_getattr_nfs(mount_t)
>  fs_mount_all_fs(mount_t)
> +fs_manage_tmpfs_dirs(mount_t)
>  fs_unmount_all_fs(mount_t)
>  fs_remount_all_fs(mount_t)
>  fs_relabelfrom_all_fs(mount_t)
> Index: refpolicy-2.20210203/policy/modules/system/raid.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/raid.te
> +++ refpolicy-2.20210203/policy/modules/system/raid.te
> @@ -60,6 +60,7 @@ domain_use_interactive_fds(mdadm_t)
>  files_read_etc_files(mdadm_t)
>  files_read_etc_runtime_files(mdadm_t)
>  files_dontaudit_getattr_all_files(mdadm_t)
> +files_search_tmp(mdadm_t)
>  
>  fs_getattr_all_fs(mdadm_t)
>  fs_list_auto_mountpoints(mdadm_t)
> Index: refpolicy-2.20210203/policy/modules/system/selinuxutil.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/selinuxutil.te
> +++ refpolicy-2.20210203/policy/modules/system/selinuxutil.te
> @@ -368,14 +368,19 @@ fs_list_inotifyfs(restorecond_t)
>  fs_relabelfrom_noxattr_fs(restorecond_t)
>  fs_getattr_pstorefs(restorecond_t)
>  
> +logging_watch_generic_logs_dir(restorecond_t)
> +
>  selinux_validate_context(restorecond_t)
>  selinux_compute_access_vector(restorecond_t)
>  selinux_compute_create_context(restorecond_t)
>  selinux_compute_relabel_context(restorecond_t)
>  selinux_compute_user_contexts(restorecond_t)
> +seutil_read_file_contexts(restorecond_t)
>  
>  files_relabel_non_auth_files(restorecond_t )
>  files_dontaudit_read_all_symlinks(restorecond_t)
> +files_watch_etc_dirs(restorecond_t)
> +files_watch_runtime_dirs(restorecond_t)
>  auth_use_nsswitch(restorecond_t)
>  
>  logging_send_syslog_msg(restorecond_t)
> @@ -416,6 +421,8 @@ allow run_init_t self:netlink_audit_sock
>  # the failed access to the current directory
>  dontaudit run_init_t self:capability { dac_override dac_read_search };
>  
> +kernel_getattr_proc(run_init_t)
> +
>  corecmd_exec_bin(run_init_t)
>  corecmd_exec_shell(run_init_t)
>  
> @@ -585,6 +592,7 @@ allow setfiles_t { policy_src_t policy_c
>  allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
>  allow setfiles_t file_context_t:file map;
>  
> +kernel_read_kernel_sysctls(setfiles_t)
>  kernel_read_system_state(setfiles_t)
>  kernel_relabelfrom_unlabeled_dirs(setfiles_t)
>  kernel_relabelfrom_unlabeled_files(setfiles_t)
> Index: refpolicy-2.20210203/policy/modules/system/sysnetwork.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/sysnetwork.te
> +++ refpolicy-2.20210203/policy/modules/system/sysnetwork.te
> @@ -61,7 +61,7 @@ allow dhcpc_t self:capability { dac_over
>  dontaudit dhcpc_t self:capability { sys_ptrace sys_tty_config };
>  # for access("/etc/bashrc", X_OK) on Red Hat
>  dontaudit dhcpc_t self:capability { dac_read_search sys_module };
> -allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
> +allow dhcpc_t self:process { setrlimit getsched getcap setcap setfscreate ptrace signal_perms };
>  
>  allow dhcpc_t self:fifo_file rw_fifo_file_perms;
>  allow dhcpc_t self:tcp_socket create_stream_socket_perms;
> Index: refpolicy-2.20210203/policy/modules/system/udev.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/udev.te
> +++ refpolicy-2.20210203/policy/modules/system/udev.te
> @@ -43,6 +43,7 @@ ifdef(`enable_mcs',`
>  allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_ptrace sys_rawio sys_resource };
>  dontaudit udev_t self:capability sys_tty_config;
>  allow udev_t self:capability2 { wake_alarm block_suspend };
> +allow udev_t self:lockdown confidentiality;
>  allow udev_t self:process { transition signal_perms ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit };
>  allow udev_t self:fd use;
>  allow udev_t self:fifo_file rw_fifo_file_perms;
> @@ -74,6 +75,7 @@ manage_files_pattern(udev_t, udev_rules_
>  manage_lnk_files_pattern(udev_t, udev_rules_t, udev_rules_t)
>  
>  manage_dirs_pattern(udev_t, udev_runtime_t, udev_runtime_t)
> +allow udev_t udev_runtime_t:dir watch;
>  manage_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
>  manage_lnk_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
>  manage_sock_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
> @@ -120,6 +122,7 @@ domain_dontaudit_ptrace_all_domains(udev
>  files_read_usr_files(udev_t)
>  files_read_etc_runtime_files(udev_t)
>  files_read_etc_files(udev_t)
> +files_read_var_lib_symlinks(udev_t)
>  files_mmap_read_kernel_modules(udev_t)
>  files_exec_etc_files(udev_t)
>  files_getattr_generic_locks(udev_t)
> @@ -129,6 +132,7 @@ fs_getattr_all_fs(udev_t)
>  fs_list_inotifyfs(udev_t)
>  fs_read_cgroup_files(udev_t)
>  fs_rw_anon_inodefs_files(udev_t)
> +fs_search_tmpfs(udev_t)
>  fs_search_tracefs(udev_t)
>  
>  mcs_ptrace_all(udev_t)
> @@ -153,6 +157,10 @@ auth_read_pam_console_data(udev_t)
>  auth_domtrans_pam_console(udev_t)
>  auth_use_nsswitch(udev_t)
>  
> +# for /run/console-setup
then that shouldnt be labeled tmpfs_t?

> +fs_manage_tmpfs_dirs(udev_t)
> +fs_manage_tmpfs_files(udev_t)
> +
>  init_read_utmp(udev_t)
>  init_domtrans_script(udev_t)
>  # systemd-udevd searches /run/systemd
> @@ -260,9 +268,6 @@ ifdef(`init_systemd',`
>  	optional_policy(`
>  		init_dbus_chat(udev_t)
>  	')
> -',`
> -	fs_manage_tmpfs_dirs(udev_t)
> -	fs_manage_tmpfs_files(udev_t)
>  ')
>  
>  optional_policy(`
> Index: refpolicy-2.20210203/policy/modules/system/unconfined.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/unconfined.te
> +++ refpolicy-2.20210203/policy/modules/system/unconfined.te
> @@ -39,6 +39,7 @@ logging_send_syslog_msg(unconfined_t)
>  logging_run_auditctl(unconfined_t, unconfined_r)
>  
>  mount_run_unconfined(unconfined_t, unconfined_r)
> +mount_watch_runtime_files_reads(unconfined_t)
>  
>  seutil_run_setfiles(unconfined_t, unconfined_r)
>  seutil_run_semanage(unconfined_t, unconfined_r)
>

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift