SELinuxProject · etbe · Aug 7, 2025 · Sep 5, 2025 · pebenito · Aug 15, 2025
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
@@ -182,6 +182,10 @@ optional_policy(`
 	spamassassin_read_spamd_tmp_files(gpg_t)
 ')
 
+optional_policy(`
+	systemd_user_sessions_create_stream_socket(gpg_t)
+')
+
 optional_policy(`
 	xserver_use_xdm_fds(gpg_t)
 	xserver_rw_xdm_pipes(gpg_t)
@@ -304,6 +308,10 @@ optional_policy(`
 	pcscd_stream_connect(gpg_agent_t)
 ')
 
+optional_policy(`
+	systemd_user_sessions_create_sock_file(gpg_runtime_t)
+')
+
 optional_policy(`
 	xserver_sigchld_xdm(gpg_agent_t)
 	xserver_read_user_xauth(gpg_agent_t)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
@@ -24,6 +24,13 @@ gen_tunable(allow_ptrace, false)
 ## </desc>
 gen_tunable(sysadm_allow_rw_inherited_fifo, false)
 
+## <desc>
+## <p>
+## Allow sysadm to run systemd-nspawn directly
+## </p>
+## </desc>
+gen_tunable(sysadm_run_nspawn, false)
+
 #role sysadm_r;
 
 userdom_admin_user_template(sysadm)
@@ -123,6 +130,10 @@ ifdef(`init_systemd',`
 	systemd_dbus_chat_networkd(sysadm_t)
 	fs_read_nsfs_files(sysadm_t)
 
+	systemd_run_nspawn(sysadm_t, sysadm_r, sysadm_run_nspawn)
+	systemd_run_passwd_agent(sysadm_t, sysadm_r)
+	systemd_watch_passwd_runtime_dirs(sysadm_t)
+
 	# Allow sysadm to follow logs in the journal, i.e. with podman logs -f
 	systemd_watch_journal_dirs(sysadm_t)
 ')

diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
@@ -289,6 +289,7 @@ template(`ssh_server_template', `
 	')
 
 	optional_policy(`
+		systemd_getattr_notify_socket($1_t)
 		systemd_read_logind_sessions_files($1_t)
 		systemd_stream_connect_userdb($1_t)
 	')
@@ -369,6 +370,7 @@ template(`ssh_role_template',`
 
 	optional_policy(`
 		systemd_user_app_status($1, ssh_t)
+		systemd_user_create_unix_stream_socket($1, $1_ssh_agent_t)
 	')
 
 	##############################

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
@@ -192,6 +192,11 @@ tunable_policy(`allow_ssh_keysign',`
 	domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
 ')
 
+ifdef(`init_systemd',`
+	systemd_user_runtime_dir_unlink(ssh_agent_tmp_t, sock_file)
+	systemd_user_sessions_manage_sock_file(ssh_agent_tmp_t)
+')
+
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(ssh_t)
 	fs_manage_nfs_files(ssh_t)
@@ -291,6 +296,7 @@ ifdef(`init_systemd',`
 	# dynamic users
 	init_stream_connect(sshd_t)
 	init_rw_stream_sockets(sshd_t)
+	systemd_dgram_nspawn(sshd_t)
 	systemd_write_inherited_logind_sessions_pipes(sshd_t)
 ')
 

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
@@ -116,12 +116,23 @@ template(`systemd_role_template',`
 	# container engines will move container processes to different slices
 	init_dbus_chat($1_systemd_t)
 
+	# for services run by init such as /run/systemd/oom/io.system.ManagedOOM
+	init_unix_stream_socket_connectto($1_systemd_t)
+
 	# the [email protected] unit is restarted when containers are created
 	systemd_get_user_manager_units_status($1_systemd_t)
 	systemd_start_user_manager_units($1_systemd_t)
 	systemd_stop_user_manager_units($1_systemd_t)
 	systemd_reload_user_manager_units($1_systemd_t)
 
+	systemd_list_userdb_runtime_dirs($1_systemd_t)
+	systemd_stream_connect_homed($1_systemd_t)
+
+	# for wireplumber
+	systemd_read_logind_runtime_files($3)
+	systemd_watch_logind_runtime_dirs($3)
+
+	miscfiles_read_fonts($1_systemd_t)
 	miscfiles_watch_localization($1_systemd_t)
 
 	mount_read_runtime_files($1_systemd_t)
@@ -131,19 +142,26 @@ template(`systemd_role_template',`
 	seutil_search_default_contexts($1_systemd_t)
 	seutil_read_file_contexts($1_systemd_t)
 
+	userdom_list_user_home_dirs($1_systemd_t)
+	userdom_watch_user_home_dirs($1_systemd_t)
+	userdom_list_user_home_content($1_systemd_t)
+	userdom_write_user_tmp_sockets($1_systemd_t)
+
 	systemd_manage_conf_home_content($1_systemd_t)
 	systemd_manage_data_home_content($1_systemd_t)
 
 	systemd_search_user_runtime_unit_dirs($1_systemd_t)
 	systemd_search_user_transient_unit_dirs($1_systemd_t)
 	systemd_read_user_units_files($1_systemd_t)
+	systemd_read_logind_state($1_systemd_t)
 	systemd_write_notify_socket($1_systemd_t)
 
 	dbus_system_bus_client($1_systemd_t)
 	dbus_spec_session_bus_client($1, $1_systemd_t)
 	dbus_connect_spec_session_bus($1, $1_systemd_t)
 
 	userdom_exec_user_bin_files($1_systemd_t)
+	userdom_list_user_tmp($1_systemd_t)
 
 	# user systemd-tmpfiles rules
 	allow $1_systemd_tmpfiles_t $1_systemd_t:unix_stream_socket rw_socket_perms;
@@ -234,6 +252,7 @@ template(`systemd_role_template',`
 		xdg_data_filetrans($1_systemd_t, systemd_data_home_t, dir, "systemd")
 		xdg_read_config_files($1_systemd_t)
 		xdg_read_data_files($1_systemd_t)
+		xdg_watch_cache_dirs($1_systemd_t)
 	')
 
 	optional_policy(`
@@ -341,6 +360,25 @@ interface(`systemd_write_notify_socket',`
 	allow $1 systemd_runtime_notify_t:sock_file write_sock_file_perms;
 ')
 
+#######################################
+## <summary>
+##  Allow the specified domain to stat the
+##  systemd-notify socket
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_getattr_notify_socket',`
+	gen_require(`
+		type systemd_runtime_notify_t;
+	')
+
+	allow $1 systemd_runtime_notify_t:sock_file getattr;
+')
+
 ######################################
 ## <summary>
 ##	Allow the target domain the permissions necessary
@@ -370,6 +408,29 @@ template(`systemd_user_send_systemd_notify',`
 	allow $2 $1_systemd_t:unix_dgram_socket sendto;
 ')
 
+######################################
+## <summary>
+##   Allow the target domain to have unix stream sockets created for it
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Prefix for the user domain.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain to allow the systemd user instance to monitor.
+##	</summary>
+## </param>
+#
+template(`systemd_user_create_unix_stream_socket',`
+	gen_require(`
+		type $1_systemd_t;
+	')
+
+	allow $1_systemd_t $2:unix_stream_socket { create setopt bind listen };
+')
+
 ######################################
 ## <summary>
 ##   Allow the target domain to be monitored and have its output
@@ -2955,6 +3016,83 @@ interface(`systemd_status_all_user_sessions',`
 	allow $1 systemd_user_session_type:system status;
 ')
 
+########################################
+## <summary>
+##    allow systemd --user to create stream sockets for a process
+## </summary>
+## <param name="domain">
+##    <summary>
+##    Domain to own the socket
+##    </summary>
+## </param>
+#
+interface(`systemd_user_sessions_create_stream_socket',`
+	gen_require(`
+		attribute systemd_user_session_type;
+	')
+
+	allow systemd_user_session_type $1:unix_stream_socket { create setopt bind listen };
+')
+
+########################################
+## <summary>
+##    allow systemd --user to create stream socket file
+## </summary>
+## <param name="type">
+##    <summary>
+##    type of the socket file
+##    </summary>
+## </param>
+#
+interface(`systemd_user_sessions_create_sock_file',`
+	gen_require(`
+		attribute systemd_user_session_type;
+	')
+
+	allow systemd_user_session_type $1:sock_file { create getattr write };
+')
+
+########################################
+## <summary>
+##    allow systemd --user to manage stream socket file
+## </summary>
+## <param name="type">
+##    <summary>
+##    type of the socket file
+##    </summary>
+## </param>
+#
+interface(`systemd_user_sessions_manage_sock_file',`
+	gen_require(`
+		attribute systemd_user_session_type;
+	')
+
+	allow systemd_user_session_type $1:sock_file manage_sock_file_perms;
+')
 interface(`init_abstract_socket_activation',` 
 interface(`init_abstract_socket_activation',` 
+
+########################################
+## <summary>
+##    Unlink user runtime entries
+## </summary>
+## <param name="type">
+##    <summary>
+##    Type to unlink
+##    </summary>
+## </param>
+## <param name="class">
+##    <summary>
+##    class to unlink
+##    </summary>
+## </param>
+#
+interface(`systemd_user_runtime_dir_unlink',`
+	gen_require(`
+		type systemd_user_runtime_dir_t;
+	')
+
+	allow systemd_user_runtime_dir_t $1:$2 unlink;
+')
+
 ########################################
 ## <summary>
 ##  Execute systemd-sysusers in the
@@ -3019,3 +3157,52 @@ interface(`systemd_use_inherited_machined_ptys', `
 	allow $1 systemd_machined_t:fd use;
 	allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms;
 ')
+
+########################################
+## <summary>
+##  run systemd-nspawn in systemd_nspawn_t domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##      <summary>
+##      The role  of the object to create.
+##      </summary>
+## </param>
+## <param name="boolean">
+##      <summary>
+##      boolean to allow this
+##      </summary>
+## </param>
+#
+interface(`systemd_run_nspawn', `
+	gen_require(`
+		type systemd_nspawn_t, systemd_nspawn_exec_t;
+	')
+
+	role $2 types systemd_nspawn_t;
+	tunable_policy(`$3', `
+		domtrans_pattern($1, systemd_nspawn_exec_t, systemd_nspawn_t)
+	')
+')
+
+########################################
+## <summary>
+##  send datagrams to systemd_nspawn_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_dgram_nspawn', `
+	gen_require(`
+		type systemd_nspawn_t, systemd_nspawn_var_run_t;
+	')
+
+	dgram_send_pattern($1, systemd_nspawn_var_run_t, systemd_nspawn_var_run_t, systemd_nspawn_t)
+')