Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp1164152pxb;
        Wed, 6 Apr 2022 10:13:19 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwJW1cCwBMO/pGcd3fCCvOcvZFuKk3jqhBLcSRd+PI+tauELMUSeDoJhTRNFs+ZYVk5E29r
X-Received: by 2002:a65:5941:0:b0:375:9bfd:473d with SMTP id g1-20020a655941000000b003759bfd473dmr7896066pgu.348.1649265198962;
        Wed, 06 Apr 2022 10:13:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1649265198; cv=none;
        d=google.com; s=arc-20160816;
        b=l3h33mxqw8b6XtaLCj9O9qbt3pMTRAX7grSWqsqYcfu7LhlyJi3uHB85+YaaAsFcyY
         3b2oDfcrCY6OO9aAvhxi+i40VmOlcotMfO4lf/BMEe9vglHSuLHJ6tLrNkIpRri5s5C3
         XDcxd5SM/nXOUE19Bas18yXCNQ5MSDgXCN3y8zmO/d8Eh83LzJM3FDV3692Dr3pjseFi
         +e+jA7obDI8+0XryXpqyxYC1kXcVdf2fskJnc8OAWjbJoAe6/SkO/ydojUIIuUliCxre
         gDUX8EESPK/T/pRg8F9fn3HAfE6PTVHmH0zXzCS7qTskp89WGjbWE2kHlWMeJi/z65mM
         2C2A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-disposition:mime-version:message-id
         :subject:to:from:date:dkim-signature;
        bh=Tz2w/20TEyaH9mvYBdVFduZWZXR4ONljCGVi8nKJIWs=;
        b=PpDsy9ONRxuotEJkgxM1Np8AY/zfkj8W5YHocjOa3iNlxY+39xqA8zzNWUyCsyJ1u8
         1dpF5w9jzkRUMyAjhCAzilMjnqnDueLzmx0i/YCqHAnLhjLTO6leQVIWy/N97yoDLWeq
         HO6a4LK8YqLIN9oYDjgdU5SrW2moWF0g5uj2wnBiIqoYZ8OMTUVRL+ZStbxjiJDB1IH8
         F8L1Gjc0E8/krSrCXeJhjEmlGMniZaJmJ++URNkt5P6FuZceW5RRGTCniGVpvzTMHM3F
         AlezGUKYsYx58oUyzUCLZ79oklTHaDkmYIEBbZ8ejno8/kNAYvMVwWzu4fjG5NuhnBle
         6iRg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b=AnFv0aZq;
       spf=softfail (google.com: domain of transitioning selinux-refpolicy-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19])
        by mx.google.com with ESMTPS id c23-20020a63da17000000b003816043f0bdsi16810547pgh.690.2022.04.06.10.13.18
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 06 Apr 2022 10:13:18 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning selinux-refpolicy-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b=AnFv0aZq;
       spf=softfail (google.com: domain of transitioning selinux-refpolicy-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id D2390C6F02;
	Wed,  6 Apr 2022 09:57:56 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S238475AbiDFQ7z (ORCPT <rfc822;axel6043@gmail.com> + 22 others);
        Wed, 6 Apr 2022 12:59:55 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38834 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S238333AbiDFQ7t (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Wed, 6 Apr 2022 12:59:49 -0400
Received: from smtp.sws.net.au (smtp.sws.net.au [144.76.241.179])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C2271346E7F
        for <selinux-refpolicy@vger.kernel.org>; Wed,  6 Apr 2022 07:52:38 -0700 (PDT)
Received: from xev.coker.com.au (localhost [127.0.0.1])
        by smtp.sws.net.au (Postfix) with ESMTP id E3B21F65E
        for <selinux-refpolicy@vger.kernel.org>; Thu,  7 Apr 2022 00:52:35 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au;
        s=2008; t=1649256756;
        bh=Tz2w/20TEyaH9mvYBdVFduZWZXR4ONljCGVi8nKJIWs=; l=4382;
        h=Date:From:To:Subject:From;
        b=AnFv0aZqxEGV8gTpzPNitcZXpEq4NT2griZ+DsxNW74twM51TxNE6KycNAuo/ausg
         JuC8sxIXCmzldYa0cvoKOcdoDkpZ1cG1rRCOb4MS20oyIcgh3qvAD5l88QpDcWhBph
         6RIXRp26vfYykJdIruuFQlEmqvi0ixymN+k97ntI=
Received: by xev.coker.com.au (Postfix, from userid 1001)
        id 7105317CA90D; Thu,  7 Apr 2022 00:52:31 +1000 (AEST)
Date:   Thu, 7 Apr 2022 00:52:31 +1000
From:   Russell Coker <russell@coker.com.au>
To:     selinux-refpolicy@vger.kernel.org
Subject: [PATCH] machinectl shell and login fixes
Message-ID: <Yk2pL3h1fF3lqE1w@xev.coker.com.au>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

This patch fixes a delay in login and allows machinectl shell to work.

Signed-off-by: Russell Coker <russell@coker.com.au>

Index: refpolicy-2.20220325/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20220325.orig/policy/modules/system/init.if
+++ refpolicy-2.20220325/policy/modules/system/init.if
@@ -3301,6 +3301,24 @@ interface(`init_tcp_recvfrom_all_daemons
 	corenet_tcp_recvfrom_labeled($1, daemon)
 ')
 
+######################################
+## <summary>
+##	restart systemd units, for /run/systemd/transient/*
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_restart_units',`
+	gen_require(`
+		type init_var_run_t;
+	')
+
+	allow $1 init_var_run_t:service { start status stop };
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to connect to daemon with a udp socket
Index: refpolicy-2.20220325/policy/modules/system/locallogin.te
===================================================================
--- refpolicy-2.20220325.orig/policy/modules/system/locallogin.te
+++ refpolicy-2.20220325/policy/modules/system/locallogin.te
@@ -129,7 +129,8 @@ auth_manage_pam_runtime_files(local_logi
 auth_manage_pam_console_data(local_login_t)
 auth_domtrans_pam_console(local_login_t)
 
-init_dontaudit_use_fds(local_login_t)
+# if local_login_t can not inherit fd from init it takes ages to login
+init_use_fds(local_login_t)
 
 miscfiles_read_localization(local_login_t)
 
Index: refpolicy-2.20220325/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20220325.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20220325/policy/modules/system/systemd.te
@@ -851,6 +851,9 @@ init_start_system(systemd_logind_t)
 init_stop_system(systemd_logind_t)
 init_watch_utmp(systemd_logind_t)
 
+# for /run/systemd/transient/*
+init_restart_units(systemd_logind_t)
+
 locallogin_read_state(systemd_logind_t)
 
 seutil_libselinux_linked(systemd_logind_t)
Index: refpolicy-2.20220325/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20220325.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20220325/policy/modules/system/systemd.if
@@ -19,11 +19,6 @@
 ##	The user domain for the role.
 ##	</summary>
 ## </param>
-## <param name="pty_type">
-##	<summary>
-##	The type for the user pty
-##	</summary>
-## </param>
 #
 template(`systemd_role_template',`
 	gen_require(`
@@ -33,6 +28,7 @@ template(`systemd_role_template',`
 		type systemd_conf_home_t, systemd_data_home_t;
 		type systemd_user_runtime_t, systemd_user_runtime_notify_t;
 		type systemd_user_unit_t, systemd_user_runtime_unit_t;
+		type systemd_machined_t, user_devpts_t;
 	')
 
 	#################################
@@ -60,6 +56,7 @@ template(`systemd_role_template',`
 	allow $1_systemd_t $3:process { setsched rlimitinh signal_perms };
 	corecmd_shell_domtrans($1_systemd_t, $3)
 	corecmd_bin_domtrans($1_systemd_t, $3)
+	corecmd_shell_entry_type($1_systemd_t)
 
 	# systemctl --user rules
 	allow $1_systemd_t systemd_user_unix_stream_activated_socket_type:unix_stream_socket { create_socket_perms listen };
@@ -114,6 +111,10 @@ template(`systemd_role_template',`
 	seutil_search_default_contexts($1_systemd_t)
 	seutil_read_file_contexts($1_systemd_t)
 
+	# for machinectl shell
+	term_user_pty($1_systemd_t, user_devpts_t)
+	allow $1_systemd_t user_devpts_t:chr_file rw_file_perms;
+
 	systemd_manage_conf_home_content($1_systemd_t)
 	systemd_manage_data_home_content($1_systemd_t)
 
@@ -144,6 +145,12 @@ template(`systemd_role_template',`
 	allow $3 systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
 	allow $3 systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
 
+	# for "machinectl shell"
+	allow $1_systemd_t systemd_machined_t:fd use;
+	allow $3 systemd_machined_t:fd use;
+	allow $3 systemd_machined_t:dbus send_msg;
+	allow systemd_machined_t $3:dbus send_msg;
+
 	allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
 
 	allow $3 systemd_user_unit_t:service { reload start status stop };