This patch fixes a delay in login and allows machinectl shell to work.
Signed-off-by: Russell Coker <russell@xxxxxxxxxxxx>
Index: refpolicy-2.20220325/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20220325.orig/policy/modules/system/init.if
+++ refpolicy-2.20220325/policy/modules/system/init.if
@@ -3301,6 +3301,24 @@ interface(`init_tcp_recvfrom_all_daemons
corenet_tcp_recvfrom_labeled($1, daemon)
')
+######################################
+## <summary>
+## restart systemd units, for /run/systemd/transient/*
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_restart_units',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ allow $1 init_var_run_t:service { start status stop };
+')
+
########################################
## <summary>
## Allow the specified domain to connect to daemon with a udp socket
Index: refpolicy-2.20220325/policy/modules/system/locallogin.te
===================================================================
--- refpolicy-2.20220325.orig/policy/modules/system/locallogin.te
+++ refpolicy-2.20220325/policy/modules/system/locallogin.te
@@ -129,7 +129,8 @@ auth_manage_pam_runtime_files(local_logi
auth_manage_pam_console_data(local_login_t)
auth_domtrans_pam_console(local_login_t)
-init_dontaudit_use_fds(local_login_t)
+# if local_login_t can not inherit fd from init it takes ages to login
+init_use_fds(local_login_t)
miscfiles_read_localization(local_login_t)
Index: refpolicy-2.20220325/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20220325.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20220325/policy/modules/system/systemd.te
@@ -851,6 +851,9 @@ init_start_system(systemd_logind_t)
init_stop_system(systemd_logind_t)
init_watch_utmp(systemd_logind_t)
+# for /run/systemd/transient/*
+init_restart_units(systemd_logind_t)
+
locallogin_read_state(systemd_logind_t)
seutil_libselinux_linked(systemd_logind_t)
Index: refpolicy-2.20220325/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20220325.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20220325/policy/modules/system/systemd.if
@@ -19,11 +19,6 @@
## The user domain for the role.
## </summary>
## </param>
-## <param name="pty_type">
-## <summary>
-## The type for the user pty
-## </summary>
-## </param>
#
template(`systemd_role_template',`
gen_require(`
@@ -33,6 +28,7 @@ template(`systemd_role_template',`
type systemd_conf_home_t, systemd_data_home_t;
type systemd_user_runtime_t, systemd_user_runtime_notify_t;
type systemd_user_unit_t, systemd_user_runtime_unit_t;
+ type systemd_machined_t, user_devpts_t;
')
#################################
@@ -60,6 +56,7 @@ template(`systemd_role_template',`
allow $1_systemd_t $3:process { setsched rlimitinh signal_perms };
corecmd_shell_domtrans($1_systemd_t, $3)
corecmd_bin_domtrans($1_systemd_t, $3)
+ corecmd_shell_entry_type($1_systemd_t)
# systemctl --user rules
allow $1_systemd_t systemd_user_unix_stream_activated_socket_type:unix_stream_socket { create_socket_perms listen };
@@ -114,6 +111,10 @@ template(`systemd_role_template',`
seutil_search_default_contexts($1_systemd_t)
seutil_read_file_contexts($1_systemd_t)
+ # for machinectl shell
+ term_user_pty($1_systemd_t, user_devpts_t)
+ allow $1_systemd_t user_devpts_t:chr_file rw_file_perms;
+
systemd_manage_conf_home_content($1_systemd_t)
systemd_manage_data_home_content($1_systemd_t)
@@ -144,6 +145,12 @@ template(`systemd_role_template',`
allow $3 systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
allow $3 systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+ # for "machinectl shell"
+ allow $1_systemd_t systemd_machined_t:fd use;
+ allow $3 systemd_machined_t:fd use;
+ allow $3 systemd_machined_t:dbus send_msg;
+ allow systemd_machined_t $3:dbus send_msg;
+
allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
allow $3 systemd_user_unit_t:service { reload start status stop };
