From 3b94d0285279d7dffae47a3532135e2b9fb1e31d Mon Sep 17 00:00:00 2001
From: Pat Riehecky <riehecky@fnal.gov>
Date: Fri, 29 Mar 2024 15:14:36 -0500
Subject: [PATCH] init: attempt to port boolean init_create_mountpoints

Attempt to port over https://github.com/SELinuxProject/refpolicy/commit/3265c15c30029db523bb082b3e81cd56ab41fb8e
---
 policy/modules/kernel/files.if  | 58 +++++++++++++++++++++++++++++++++
 policy/modules/kernel/kernel.if | 36 ++++++++++++++++++++
 policy/modules/system/init.if   | 48 +++++++++++++++++++++++++++
 policy/modules/system/init.te   | 23 +++++++++++++
 4 files changed, 165 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 7f52c1ec82..f04fd7409c 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -853,6 +853,24 @@ interface(`files_search_non_security_dirs',`
 	allow $1 non_security_file_type:dir search_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Create non-security directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_create_non_security_dirs',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	create_dirs_pattern($1, non_security_file_type, non_security_file_type)
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of all files.
@@ -1275,6 +1293,46 @@ interface(`files_relabel_non_security_files',`
 	seutil_relabelto_bin_policy($1)
 ')
 
+########################################
+## <summary>
+##	Write all non-security files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_write_non_security_files',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	write_files_pattern($1, non_security_file_type, non_security_file_type)
+	read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
+')
+
+########################################
+## <summary>
+##	Create all non-security files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_create_non_security_files',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	create_files_pattern($1, non_security_file_type, non_security_file_type)
+	read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
+')
+
 ########################################
 ## <summary>
 ##	Search all base file dirs.
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index d439f1db2e..244436633f 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -1816,6 +1816,42 @@ interface(`kernel_dontaudit_list_all_proc',`
 	dontaudit $1 proc_type:file getattr;
 ')
 
+########################################
+## <summary>
+##	Write systemd mountpoint files except proc entries.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_write_non_proc_init_mountpoint_files',`
+	gen_require(`
+		attribute proc_type;
+	')
+
+	init_write_mountpoint_files($1, -proc_type)
+')
+
+########################################
+## <summary>
+##	Create systemd mountpoint files except proc entries.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_create_non_proc_init_mountpoint_files',`
+	gen_require(`
+		attribute proc_type;
+	')
+
+	init_create_mountpoint_files($1, -proc_type)
+')
+
 ########################################
 ## <summary>
 ##	Allow attempts to read all proc types.
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 95881f4756..1adb6b07dd 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -816,6 +816,54 @@ interface(`init_named_socket_activation',`
     files_pid_filetrans(init_t, $2, { dir lnk_file sock_file fifo_file }, $3)
 ')
 
+########################################
+## <summary>
+##	Write systemd mountpoint files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+#
+interface(`init_write_mountpoint_files',`
+	gen_require(`
+		attribute init_mountpoint_type;
+	')
+
+	allow $1 { init_mountpoint_type $2 }:file write_file_perms;
+')
+
+########################################
+## <summary>
+##	Create systemd mountpoint files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+#
+interface(`init_create_mountpoint_files',`
+	gen_require(`
+		attribute init_mountpoint_type;
+	')
+
+	allow $1 { init_mountpoint_type $2 }:file create_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Connect to init with a unix socket.
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 312e76d286..41d0f75558 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -51,6 +51,13 @@ gen_tunable(daemons_enable_cluster_mode, false)
 ## </desc>
 gen_tunable(init_create_dirs, true)
 
+## <desc>
+## <p>
+## Enable systemd to create mountpoints.
+## </p>
+## </desc>
+gen_tunable(init_create_mountpoints, false)
+
 ## <desc>
 ## <p>
 ## Allow init audit_control capability
@@ -584,6 +591,22 @@ tunable_policy(`init_create_dirs',`
     files_setattr_non_security_dirs(init_t)
 ')
 
+tunable_policy(`init_create_mountpoints',`
+    allow init_t init_mountpoint_type:dir { create_dir_perms add_entry_dir_perms };
+    allow init_t init_mountpoint_type:fifo_file create_fifo_file_perms;
+    allow init_t init_mountpoint_type:sock_file create_sock_file_perms;
+    allow init_t init_mountpoint_type:lnk_file create_lnk_file_perms;
+
+    kernel_write_non_proc_init_mountpoint_files(init_t)
+    kernel_create_non_proc_init_mountpoint_files(init_t)
+')
+
+tunable_policy(`init_create_mountpoints && init_create_dirs',`
+    files_create_non_security_dirs(init_t)
+    files_create_non_security_files(init_t)
+    files_write_non_security_files(init_t)
+')
+
 tunable_policy(`init_audit_control',`
 	allow init_t self:capability audit_control;
 ')