init: attempt to port boolean init_create_mountpoints

policy/modules/kernel/files.if

@@ -853,6 +853,24 @@ interface(`files_search_non_security_dirs',`
 	allow $1 non_security_file_type:dir search_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Create non-security directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_create_non_security_dirs',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	create_dirs_pattern($1, non_security_file_type, non_security_file_type)
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of all files.
@@ -1275,6 +1293,46 @@ interface(`files_relabel_non_security_files',`
 	seutil_relabelto_bin_policy($1)
 ')
 
+########################################
+## <summary>
+##	Write all non-security files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_write_non_security_files',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	write_files_pattern($1, non_security_file_type, non_security_file_type)
+	read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
+')
+
+########################################
+## <summary>
+##	Create all non-security files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_create_non_security_files',`
+	gen_require(`
+		attribute non_security_file_type;
+	')
+
+	create_files_pattern($1, non_security_file_type, non_security_file_type)
+	read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
+')
+
 ########################################
 ## <summary>
 ##	Search all base file dirs.

policy/modules/kernel/kernel.if

@@ -1816,6 +1816,42 @@ interface(`kernel_dontaudit_list_all_proc',`
 	dontaudit $1 proc_type:file getattr;
 ')
 
+########################################
+## <summary>
+##	Write systemd mountpoint files except proc entries.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_write_non_proc_init_mountpoint_files',`
+	gen_require(`
+		attribute proc_type;
+	')
+
+	init_write_mountpoint_files($1, -proc_type)
+')
+
+########################################
+## <summary>
+##	Create systemd mountpoint files except proc entries.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_create_non_proc_init_mountpoint_files',`
+	gen_require(`
+		attribute proc_type;
+	')
+
+	init_create_mountpoint_files($1, -proc_type)
+')
+
 ########################################
 ## <summary>
 ##	Allow attempts to read all proc types.

policy/modules/system/init.if

@@ -816,6 +816,54 @@ interface(`init_named_socket_activation',`
     files_pid_filetrans(init_t, $2, { dir lnk_file sock_file fifo_file }, $3)
 ')
 
+########################################
+## <summary>
+##	Write systemd mountpoint files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+#
+interface(`init_write_mountpoint_files',`
+	gen_require(`
+		attribute init_mountpoint_type;
+	')
+
+	allow $1 { init_mountpoint_type $2 }:file write_file_perms;
+')
+
+########################################
+## <summary>
+##	Create systemd mountpoint files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="exception_types" optional="true">
+##	<summary>
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+##	</summary>
+## </param>
+#
+interface(`init_create_mountpoint_files',`
+	gen_require(`
+		attribute init_mountpoint_type;
+	')
+
+	allow $1 { init_mountpoint_type $2 }:file create_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Connect to init with a unix socket.

policy/modules/system/init.te

@@ -51,6 +51,13 @@ gen_tunable(daemons_enable_cluster_mode, false)
 ## </desc>
 gen_tunable(init_create_dirs, true)
 
+## <desc>
+## <p>
+## Enable systemd to create mountpoints.
+## </p>
+## </desc>
+gen_tunable(init_create_mountpoints, false)
+
 ## <desc>
 ## <p>
 ## Allow init audit_control capability
@@ -584,6 +591,22 @@ tunable_policy(`init_create_dirs',`
     files_setattr_non_security_dirs(init_t)
 ')
 
+tunable_policy(`init_create_mountpoints',`
+    allow init_t init_mountpoint_type:dir { create_dir_perms add_entry_dir_perms };
+    allow init_t init_mountpoint_type:fifo_file create_fifo_file_perms;
+    allow init_t init_mountpoint_type:sock_file create_sock_file_perms;
+    allow init_t init_mountpoint_type:lnk_file create_lnk_file_perms;
+
+    kernel_write_non_proc_init_mountpoint_files(init_t)
+    kernel_create_non_proc_init_mountpoint_files(init_t)
+')
+
+tunable_policy(`init_create_mountpoints && init_create_dirs',`
+    files_create_non_security_dirs(init_t)
+    files_create_non_security_files(init_t)
+    files_write_non_security_files(init_t)
+')
+
 tunable_policy(`init_audit_control',`
 	allow init_t self:capability audit_control;
 ')