diff --git a/policy/modules/admin/quota.te b/policy/modules/admin/quota.te
index b5b152fb16..310a8410d2 100644
--- a/policy/modules/admin/quota.te
+++ b/policy/modules/admin/quota.te
@@ -89,6 +89,9 @@ logging_send_syslog_msg(quota_t)
userdom_use_user_terminals(quota_t)
userdom_dontaudit_use_unpriv_user_fds(quota_t)
+init_rw_script_stream_sockets(quota_t)
+kernel_use_fds(quota_t)
+
optional_policy(`
mta_queue_filetrans(quota_t, quota_db_t, file)
mta_spool_filetrans(quota_t, quota_db_t, file)
diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
index b9558dccc4..aa8f72d819 100644
--- a/policy/modules/apps/loadkeys.te
+++ b/policy/modules/apps/loadkeys.te
@@ -48,6 +48,9 @@ miscfiles_read_localization(loadkeys_t)
userdom_use_user_terminals(loadkeys_t)
userdom_list_user_home_content(loadkeys_t)
+init_rw_script_stream_sockets(loadkeys_t)
+kernel_use_fds(loadkeys_t)
+
optional_policy(`
consolesetup_read_conf(loadkeys_t)
')
diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index f599670407..f4cf3edbdc 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -753,6 +753,8 @@ kernel_search_vm_sysctl(container_engine_t)
term_remount_devpts(container_engine_t)
+init_rw_script_stream_sockets(container_engine_t)
+
ifdef(`init_systemd',`
# needed by runc, which is also invoked by other engines
init_run_bpf(container_engine_domain)
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 99f7b61cbf..88fd3550aa 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -190,6 +190,9 @@ write_logging_runtime_dirs(system_dbusd_t)
files_map_etc_files(system_dbusd_t)
+init_rw_script_stream_sockets(system_dbusd_t)
+kernel_use_fds(system_dbusd_t)
+
ifdef(`init_systemd', `
# gdm3 causes system_dbusd_t to want this access
dev_rw_dri(system_dbusd_t)
@@ -229,6 +232,10 @@ optional_policy(`
')
')
+optional_policy(`
+ unconfined_use_fds(system_dbusd_t)
+')
+
optional_policy(`
tunable_policy(`dbus_broker_system_bus',`
networkmanager_startstop(system_dbusd_t)
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
index c88c370bc2..4a0c3552f3 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -110,6 +110,8 @@ files_manage_quota_aos(dnsmasq_t)
dev_rw_tee_chr_files(dnsmasq_t)
+kernel_use_fds(dnsmasq_t)
+
optional_policy(`
cobbler_read_lib_files(dnsmasq_t)
')
diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
index dc813d136c..266451511d 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
@@ -317,3 +317,21 @@ interface(`ntp_admin',`
allow ntpd_t $1:dbus send_msg;
')
')
+
+########################################
+##
+## Allow a domain to perform nnp_transition to ntpd_t.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`allow_nnp_transition_to_ntpd', `
+ gen_require(`
+ type ntpd_t;
+ ')
+
+ allow $1 ntpd_t:process2 nnp_transition;
+')
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index 8a85342940..1041414a2d 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -138,6 +138,8 @@ miscfiles_read_localization(ntpd_t)
userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
userdom_list_user_home_dirs(ntpd_t)
+init_rw_script_stream_sockets(ntpd_t)
+kernel_use_fds(ntpd_t)
ifdef(`init_systemd',`
allow ntpd_t self:process setfscreate;
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index e5d6ecb135..63f2ce9295 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -282,6 +282,10 @@ userdom_signal_all_users(rpcd_t)
write_logging_runtime_dirs(rpcd_t)
+init_rw_script_stream_sockets(rpcd_t)
+
+kernel_use_fds(rpcd_t)
+
ifdef(`distro_debian',`
term_dontaudit_use_unallocated_ttys(rpcd_t)
')
@@ -314,7 +318,7 @@ optional_policy(`
# NFSD local policy
#
-allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
+allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource sys_rawio };
allow nfsd_t exports_t:file read_file_perms;
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
@@ -363,6 +367,9 @@ fs_manage_tmpfs_dirs(nfsd_t)
fs_list_hugetlbfs(nfsd_t)
+init_rw_script_stream_sockets(nfsd_t)
+kernel_use_fds(nfsd_t)
+
tunable_policy(`allow_nfsd_anon_write',`
miscfiles_manage_public_files(nfsd_t)
')
diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
index 105295a91c..19bce56942 100644
--- a/policy/modules/services/rpcbind.te
+++ b/policy/modules/services/rpcbind.te
@@ -73,6 +73,9 @@ logging_send_syslog_msg(rpcbind_t)
miscfiles_read_localization(rpcbind_t)
+init_rw_script_stream_sockets(rpcbind_t)
+kernel_use_fds(rpcbind_t)
+
# nfsd_t would not be allowed to send unix_stream_socket to rpcbind_t,
# because the are running in different level. So add rules to allow this.
mls_socket_read_all_levels(rpcbind_t)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 92598de63f..da087a563b 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -265,6 +265,9 @@ files_map_etc_files(sshd_t)
init_manage_dir_utmp(sshd_t)
logging_rw_generic_logs(sshd_t)
+init_rw_script_stream_sockets(sshd_t)
+kernel_use_fds(sshd_t)
+
ifdef(`distro_debian',`
allow sshd_t self:process { getcap setcap };
auth_use_pam_motd_dynamic(sshd_t)
@@ -382,6 +385,8 @@ files_manage_var_dirs(ssh_keygen_t)
files_manage_var_files(ssh_keygen_t)
files_map_etc_files(ssh_keygen_t)
+init_rw_script_stream_sockets(ssh_keygen_t)
+
optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
')
diff --git a/policy/modules/system/aos.if b/policy/modules/system/aos.if
index 84bcbc3d20..2852cd0391 100644
--- a/policy/modules/system/aos.if
+++ b/policy/modules/system/aos.if
@@ -167,6 +167,26 @@ interface(`files_manage_quota_aos',`
allow $1 aos_var_run_t:filesystem { quotaget quotamod remount getattr };
')
+# allow $1 aos_var_run_t:file { getattr };
+
+########################################
+##
+## Manage update rootfs files in /var/aos directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_manage_update_rootfs_aos',`
+ gen_require(`
+ type aos_var_run_t;
+ ')
+
+ allow $1 aos_var_run_t:file { getattr };
+')
+
########################################
##
## Manage overlay files in /var/aos directory.
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 34b8c92ee3..6bfcf57500 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -926,12 +926,21 @@ miscfiles_manage_generic_cert_files(initrc_t)
seutil_read_config(initrc_t)
+allow_nnp_transition_to_systemd_logind(initrc_t)
+allow_nnp_transition_to_systemd_networkd(initrc_t)
+allow_nnp_transition_to_syslogd(initrc_t)
+allow_nnp_transition_to_systemd_userdbd(initrc_t)
+allow_nnp_transition_to_ntpd(initrc_t)
+allow_nnp_transition_to_systemd_resolved(initrc_t)
+allow_nnp_transition_to_systemd_hostnamed(initrc_t)
+
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
# started from init should be placed in their own domain.
userdom_use_inherited_user_terminals(initrc_t)
+
ifdef(`distro_debian',`
kernel_getattr_core_if(initrc_t)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 0615f8f307..69cdc8799b 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -524,6 +524,24 @@ interface(`logging_audit_socket_activation', `
allow $1 syslogd_t:netlink_audit_socket create_socket_perms;
')
+########################################
+##
+## Allow a domain to perform nnp_transition to syslogd_t.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`allow_nnp_transition_to_syslogd', `
+ gen_require(`
+ type syslogd_t;
+ ')
+
+ allow $1 syslogd_t:process2 nnp_transition;
+')
+
########################################
##
## Relabel to and from syslog temporary file type.
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 933f9ff6f9..be0a3c93f7 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -372,7 +372,10 @@ miscfiles_read_localization(klogd_t)
mls_file_read_all_levels(klogd_t)
+init_rw_script_stream_sockets(klogd_t)
+
userdom_dontaudit_search_user_home_dirs(klogd_t)
+kernel_use_fds(klogd_t)
ifdef(`distro_ubuntu',`
optional_policy(`
@@ -541,6 +544,8 @@ seutil_read_config(syslogd_t)
userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
userdom_dontaudit_search_user_home_dirs(syslogd_t)
+init_rw_script_stream_sockets(syslogd_t)
+
ifdef(`init_systemd',`
# for systemd-journal
allow syslogd_t self:capability audit_control;
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 0bbf33b6c4..b2104fe37b 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -229,6 +229,9 @@ fs_manage_bpf_dirs(lvm_t)
init_search_keys(lvm_t)
miscfiles_manage_generic_cert_files(lvm_t)
+init_rw_script_stream_sockets(lvm_t)
+write_logging_runtime_dirs(lvm_t)
+
ifdef(`init_systemd',`
init_rw_stream_sockets(lvm_t)
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 4b0a47df25..ba8c7b8163 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -118,6 +118,8 @@ userdom_use_user_terminals(kmod_t)
userdom_dontaudit_search_user_home_dirs(kmod_t)
+init_rw_script_stream_sockets(kmod_t)
+
ifdef(`init_systemd',`
# for /run/tmpfiles.d/kmod.conf
allow kmod_t kmod_tmpfiles_conf_t:file manage_file_perms;
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index db2902ccb2..40839956d5 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -161,6 +161,11 @@ files_allow_manage_var_files(mount_t)
files_allow_manage_var_chr_files(mount_t)
files_allow_manage_etc_files(mount_t)
+init_rw_script_stream_sockets(mount_t)
+fs_list_nfsd_fs(mount_t)
+fs_getattr_tracefs_dirs(mount_t)
+kernel_use_fds(mount_t)
+
ifdef(`distro_redhat',`
optional_policy(`
auth_read_pam_console_data(mount_t)
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 9f48d5fabc..38241586db 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -671,6 +671,8 @@ userdom_use_all_users_fds(setfiles_t)
# for config files in a home directory
userdom_read_user_home_content_files(setfiles_t)
+init_rw_script_stream_sockets(setfiles_t)
+
ifdef(`distro_debian',`
# udev tmpfs is populated with static device nodes
# and then relabeled afterwards; thus
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 5c09babb54..2c2c962615 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -374,6 +374,8 @@ dev_rw_xen(ifconfig_t)
var_run_file_operations(ifconfig_t)
+init_rw_script_stream_sockets(ifconfig_t)
+
# For "ip netns identify $$"
userdom_read_all_users_state(ifconfig_t)
userdom_use_user_terminals(ifconfig_t)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index d25aaea78e..07414b359d 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -1355,6 +1355,24 @@ interface(`systemd_signull_logind',`
allow $1 systemd_logind_t:process signull;
')
+########################################
+##
+## Allow a domain to perform nnp_transition to systemd_logind_t.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`allow_nnp_transition_to_systemd_logind', `
+ gen_require(`
+ type systemd_logind_t;
+ ')
+
+ allow $1 systemd_logind_t:process2 nnp_transition;
+')
+
########################################
##
## List the contents of systemd userdb runtime directories.
@@ -1467,6 +1485,42 @@ interface(`systemd_stream_connect_userdb', `
init_unix_stream_socket_connectto($1)
')
+########################################
+##
+## Allow a domain to perform nnp_transition to systemd_userdbd_t.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`allow_nnp_transition_to_systemd_userdbd', `
+ gen_require(`
+ type systemd_userdbd_t;
+ ')
+
+ allow $1 systemd_userdbd_t:process2 nnp_transition;
+')
+
+########################################
+##
+## Allow a domain to perform nnp_transition to systemd_resolved_t.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`allow_nnp_transition_to_systemd_resolved', `
+ gen_require(`
+ type systemd_resolved_t;
+ ')
+
+ allow $1 systemd_resolved_t:process2 nnp_transition;
+')
+
########################################
##
## Allow reading /run/systemd/machines
@@ -1564,6 +1618,24 @@ interface(`systemd_dbus_chat_hostnamed',`
allow systemd_hostnamed_t $1:dbus send_msg;
')
+########################################
+##
+## Allow a domain to perform nnp_transition to systemd_hostnamed_t.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`allow_nnp_transition_to_systemd_hostnamed', `
+ gen_require(`
+ type systemd_hostnamed_t;
+ ')
+
+ allow $1 systemd_hostnamed_t:process2 nnp_transition;
+')
+
########################################
##
## allow systemd_passwd_agent to inherit fds
@@ -2050,6 +2122,24 @@ interface(`systemd_read_networkd_runtime',`
read_files_pattern($1, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
')
+########################################
+##
+## Allow a domain to perform nnp_transition to systemd_networkd_t.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`allow_nnp_transition_to_systemd_networkd', `
+ gen_require(`
+ type systemd_networkd_t;
+ ')
+
+ allow $1 systemd_networkd_t:process2 nnp_transition;
+')
+
########################################
##
## Allow systemd_logind_t to read process state for cgroup file
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 06076d554b..99da3fa62b 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -549,6 +549,8 @@ udev_read_runtime_files(systemd_generator_t)
mls_file_read_to_clearance(systemd_generator_t)
mls_file_write_to_clearance(systemd_generator_t)
+files_manage_update_rootfs_aos(systemd_generator_t)
+
ifdef(`distro_gentoo',`
corecmd_shell_entry_type(systemd_generator_t)
')
@@ -736,6 +738,8 @@ sysnet_manage_config(systemd_hostnamed_t)
systemd_log_parse_environment(systemd_hostnamed_t)
+init_rw_script_stream_sockets(systemd_hostnamed_t)
+
# Allow reading /run/udev/data/+dmi:id
udev_read_runtime_files(systemd_hostnamed_t)
@@ -960,6 +964,9 @@ mls_file_write_to_clearance(systemd_logind_t)
files_map_etc_files(systemd_logind_t)
+init_rw_script_stream_sockets(systemd_logind_t)
+kernel_use_fds(systemd_logind_t)
+
# Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
# The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96
# should fix the problem where user directories in /run/user/$UID/ are not getting the proper context
@@ -980,6 +987,10 @@ tunable_policy(`systemd_logind_get_bootloader',`
# This reads the first sectors of fixed disk devices.
storage_raw_read_fixed_disk_cond(systemd_logind_t, systemd_logind_get_bootloader)
+optional_policy(`
+ unconfined_use_fds(systemd_logind_t)
+')
+
optional_policy(`
dbus_connect_system_bus(systemd_logind_t)
dbus_system_bus_client(systemd_logind_t)
@@ -1121,6 +1132,7 @@ allow systemd_networkd_t self:rawip_socket create_socket_perms;
allow systemd_networkd_t self:tun_socket { create_socket_perms relabelfrom relabelto };
allow systemd_networkd_t self:udp_socket create_socket_perms;
allow systemd_networkd_t self:unix_dgram_socket create_socket_perms;
+allow systemd_networkd_t self:netlink_netfilter_socket create_socket_perms;
manage_dirs_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
manage_files_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
@@ -1177,6 +1189,9 @@ systemd_log_parse_environment(systemd_networkd_t)
files_map_etc_files(systemd_networkd_t)
+init_rw_script_stream_sockets(systemd_networkd_t)
+kernel_use_fds(systemd_networkd_t)
+
tunable_policy(`systemd_networkd_dhcp_server',`
corenet_sendrecv_dhcpd_server_packets(systemd_networkd_t)
corenet_udp_bind_dhcpd_port(systemd_networkd_t)
@@ -1565,6 +1580,9 @@ systemd_log_parse_environment(systemd_resolved_t)
systemd_read_networkd_runtime(systemd_resolved_t)
files_map_etc_files(systemd_resolved_t)
+init_rw_script_stream_sockets(systemd_resolved_t)
+init_manage_dir_utmp(systemd_resolved_t)
+kernel_use_fds(systemd_resolved_t)
optional_policy(`
dbus_connect_system_bus(systemd_resolved_t)
@@ -1631,6 +1649,8 @@ fs_getattr_tmpfs(systemd_sessions_t)
fs_search_cgroup_dirs(systemd_sessions_t)
fs_getattr_cgroup(systemd_sessions_t)
+init_rw_script_stream_sockets(systemd_sessions_t)
+
########################################
#
# sysctl local policy
@@ -1658,8 +1678,12 @@ fs_search_ramfs(systemd_sysctl_t)
systemd_log_parse_environment(systemd_sysctl_t)
+init_rw_script_stream_sockets(systemd_sysctl_t)
+kernel_use_fds(systemd_sysctl_t)
+
fs_getattr_cgroup(systemd_sessions_t)
fs_search_cgroup_dirs(systemd_sessions_t)
+kernel_use_fds(systemd_sessions_t)
#########################################
#
@@ -1825,6 +1849,9 @@ mls_file_upgrade(systemd_tmpfiles_t)
userdom_manage_user_runtime_root_dirs(systemd_tmpfiles_t)
userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t)
+init_rw_script_stream_sockets(systemd_tmpfiles_t)
+kernel_use_fds(systemd_tmpfiles_t)
+
tunable_policy(`systemd_tmpfiles_manage_all',`
# systemd-tmpfiles can be configured to manage anything.
# have a last-resort option for users to do this.
@@ -2005,6 +2032,9 @@ systemd_log_parse_environment(systemd_userdbd_t)
files_manage_var_files(systemd_userdbd_t)
+init_rw_script_stream_sockets(systemd_userdbd_t)
+kernel_use_fds(systemd_userdbd_t)
+
#########################################
#
# systemd-user-runtime-dir local policy
@@ -2059,6 +2089,8 @@ userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t)
userdom_mounton_user_runtime_dirs(systemd_user_runtime_dir_t)
userdom_relabelto_user_runtime_dirs(systemd_user_runtime_dir_t)
+init_rw_script_stream_sockets(systemd_user_runtime_dir_t)
+
optional_policy(`
dbus_system_bus_client(systemd_user_runtime_dir_t)
')
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 37cd2d400d..e7418f2ff1 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -40,7 +40,7 @@ optional_policy(`
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_ptrace sys_rawio sys_resource };
allow udev_t self:capability2 { wake_alarm block_suspend };
-allow udev_t self:process { transition signal_perms ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit };
+allow udev_t self:process { transition signal_perms ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit setrlimit };
allow udev_t self:fd use;
allow udev_t self:fifo_file rw_fifo_file_perms;
allow udev_t self:sock_file read_sock_file_perms;
@@ -211,6 +211,11 @@ files_read_var_files(udev_t)
userdom_dontaudit_getattr_user_home_dirs(udev_t)
userdom_dontaudit_search_user_home_content(udev_t)
+init_rw_script_stream_sockets(udev_t)
+kernel_rw_fs_sysctls(udev_t)
+
+files_manage_update_rootfs_aos(udev_t)
+
ifdef(`distro_debian',`
# for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851933
files_read_default_files(udev_t)