From 29d0bb8c33a4b5d5ecc564b2129fcea2f10b1743 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Sun, 11 Aug 2024 20:00:44 +0800
Subject: [PATCH 1/7] systemd: set context to systemd_networkd_var_lib_t for
 /var/lib/systemd/network

Fixes:
avc:  denied  { read } for  pid=344 comm="systemd-network"
path="/var/lib/systemd/network" dev="vda" ino=30708
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_var_lib_t tclass=dir permissive=1

avc:  denied  { write } for  pid=344 comm="systemd-network"
name="network" dev="vda" ino=30708
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_var_lib_t tclass=dir permissive=1

avc:  denied  { getattr } for  pid=344 comm="systemd-network"
path="/var/lib/systemd/network" dev="vda" ino=30708
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_var_lib_t tclass=dir permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/system/systemd.fc | 1 +
 policy/modules/system/systemd.te | 7 +++++++
 2 files changed, 8 insertions(+)

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 673d222bec..626914a205 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -87,6 +87,7 @@ HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_data
 /var/lib/systemd/coredump(/.*)?	gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
 /var/lib/systemd/home(/.*)?     gen_context(system_u:object_r:systemd_homed_var_lib_t,s0)
 /var/lib/systemd/linger(/.*)?	gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
+/var/lib/systemd/network(/.*)?	gen_context(system_u:object_r:systemd_networkd_var_lib_t,s0)
 /var/lib/systemd/pstore(/.*)?	gen_context(system_u:object_r:systemd_pstore_var_lib_t,s0)
 /var/lib/systemd/rfkill(/.*)?	gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
 
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 67ed3294b7..d6a7ced2a4 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -212,6 +212,9 @@ init_mountpoint(systemd_networkd_runtime_t)
 type systemd_networkd_unit_t;
 init_unit_file(systemd_networkd_unit_t)
 
+type systemd_networkd_var_lib_t;
+files_type(systemd_networkd_var_lib_t)
+
 type systemd_notify_t;
 type systemd_notify_exec_t;
 init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
@@ -1241,6 +1244,10 @@ manage_dirs_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_netw
 manage_files_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
 manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
 
+init_var_lib_filetrans(systemd_networkd_t, systemd_networkd_var_lib_t, dir)
+manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_lib_t, systemd_networkd_var_lib_t)
+manage_files_pattern(systemd_networkd_t, systemd_networkd_var_lib_t, systemd_networkd_var_lib_t)
+
 kernel_read_system_state(systemd_networkd_t)
 kernel_read_kernel_sysctls(systemd_networkd_t)
 kernel_read_network_state(systemd_networkd_t)

From 78cacc7088b9f9ddbc46587492cb8b930a8a46c8 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Sun, 11 Aug 2024 20:06:45 +0800
Subject: [PATCH 2/7] systemd: allow systemd-networkd to manage sock files
 under /run/systemd/netif

Fixes:
avc:  denied  { create } for  pid=344 comm="systemd-network"
name="io.systemd.Network" scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:systemd_networkd_runtime_t tclass=sock_file
permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/system/systemd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index d6a7ced2a4..a4dd45a440 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1243,6 +1243,7 @@ allow systemd_networkd_t self:unix_dgram_socket create_socket_perms;
 manage_dirs_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
 manage_files_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
 manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
+manage_sock_files_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
 
 init_var_lib_filetrans(systemd_networkd_t, systemd_networkd_var_lib_t, dir)
 manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_lib_t, systemd_networkd_var_lib_t)

From 47081be47207ab4958bca00020ab15ec663b81d4 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Mon, 12 Aug 2024 16:17:29 +0800
Subject: [PATCH 3/7] systemd: allow system --user to create
 netlink_route_socket

Fixes:
avc:  denied  { create } for  pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1

avc:  denied  { getopt } for  pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1

avc:  denied  { setopt } for  pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1

avc:  denied  { bind } for  pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1

avc:  denied  { getattr } for  pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1

avc:  denied  { write } for  pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1

avc:  denied  { nlmsg_read } for  pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1

avc:  denied  { read } for  pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1

avc:  denied  { sendto } for  pid=378 comm="(ystemctl)"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=unix_dgram_socket
permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/system/systemd.if | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index a9c8a1a5a0..b9dbd97cc0 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -61,6 +61,8 @@ template(`systemd_role_template',`
 	# remainder of the rules.
 	allow $1_systemd_t self:process { getsched signal };
 	allow $1_systemd_t self:netlink_kobject_uevent_socket create_socket_perms;
+	allow $1_systemd_t self:netlink_route_socket r_netlink_socket_perms;
+	allow $1_systemd_t self:unix_dgram_socket { create_socket_perms sendto };
 	allow $1_systemd_t self:unix_stream_socket create_stream_socket_perms;
 	allow $1_systemd_t $3:process { rlimitinh setsched signal_perms };
 	corecmd_shell_domtrans($1_systemd_t, $3)

From a4a7b830fe07f2de3129a1fef088cc5f2e4e349a Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Mon, 12 Aug 2024 11:09:52 +0800
Subject: [PATCH 4/7] systemd: add policy for systemd-nsresourced

The systemd-nsresourced service was added in systemd v256[1]. Add policy
for this service and allow all domains to connect to it over unix
socket.

Fixes:
avc:  denied  { connectto } for  pid=325 comm="avahi-daemon"
path="/run/systemd/io.systemd.NamespaceResource"
scontext=system_u:system_r:avahi_t tcontext=system_u:system_r:initrc_t
tclass=unix_stream_socket permissive=1

avc:  denied  { write } for  pid=327 comm="dbus-daemon"
name="io.systemd.NamespaceResource" dev="tmpfs" ino=54
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:init_runtime_t tclass=sock_file permissive=1

avc:  denied  { connectto } for  pid=327 comm="dbus-daemon"
path="/run/systemd/io.systemd.NamespaceResource"
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket
permissive=1

avc:  denied  { connectto } for  pid=200 comm="systemd-userwor"
path="/run/systemd/io.systemd.NamespaceResource"
scontext=system_u:system_r:systemd_userdbd_t
tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket
permissive=1

avc:  denied  { connectto } for  pid=198 comm="systemd-userwor"
path="/run/systemd/io.systemd.NamespaceResource"
scontext=system_u:system_r:systemd_userdbd_t
tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket
permissive=1

[1] https://github.com/systemd/systemd/commit/8aee931e7ae1adb01eeac0e1e4c0aef6ed3969ec

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/services/avahi.te   |  4 ++++
 policy/modules/services/bind.te    |  4 ++++
 policy/modules/services/dbus.te    |  2 ++
 policy/modules/services/postfix.te |  8 +++++++
 policy/modules/system/systemd.fc   |  4 ++++
 policy/modules/system/systemd.if   | 21 +++++++++++++++++
 policy/modules/system/systemd.te   | 36 ++++++++++++++++++++++++++++++
 7 files changed, 79 insertions(+)

diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
index 5cdfa08a4e..da74735369 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@@ -95,6 +95,10 @@ sysnet_etc_filetrans_config(avahi_t)
 userdom_dontaudit_use_unpriv_user_fds(avahi_t)
 userdom_dontaudit_search_user_home_dirs(avahi_t)
 
+ifdef(`init_systemd',`
+	systemd_stream_connect_nsresourced(avahi_t)
+')
+
 optional_policy(`
 	dbus_system_domain(avahi_t, avahi_exec_t)
 
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 0db949185d..a3336c28c7 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -168,6 +168,10 @@ miscfiles_read_generic_tls_privkey(named_t)
 userdom_dontaudit_use_unpriv_user_fds(named_t)
 userdom_dontaudit_search_user_home_dirs(named_t)
 
+ifdef(`init_systemd',`
+	systemd_stream_connect_nsresourced(named_t)
+')
+
 tunable_policy(`named_tcp_bind_http_port',`
 	corenet_sendrecv_http_server_packets(named_t)
 	corenet_tcp_bind_http_port(named_t)
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index b83f822a60..4e2e32ec02 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -215,6 +215,8 @@ ifdef(`init_systemd', `
 	init_start_all_units(system_dbusd_t)
 	init_stop_all_units(system_dbusd_t)
 
+	systemd_stream_connect_nsresourced(system_dbusd_t)
+
 	# Recent versions of dbus are started as Type=notify
 	systemd_write_notify_socket(system_dbusd_t)
 
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 12dab41649..23a5461af6 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -575,6 +575,10 @@ allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
 read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 
+ifdef(`init_systemd',`
+	systemd_stream_connect_nsresourced(postfix_pickup_t)
+')
+
 optional_policy(`
 	dbus_system_bus_client(postfix_pickup_t)
 	init_dbus_chat(postfix_pickup_t)
@@ -729,6 +733,10 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
 
 corecmd_exec_bin(postfix_qmgr_t)
 
+ifdef(`init_systemd',`
+	systemd_stream_connect_nsresourced(postfix_qmgr_t)
+')
+
 optional_policy(`
 	dbus_send_system_bus(postfix_qmgr_t)
 	dbus_system_bus_client(postfix_qmgr_t)
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 626914a205..c71453465e 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -39,6 +39,8 @@
 /usr/lib/systemd/systemd-modules-load	--	gen_context(system_u:object_r:systemd_modules_load_exec_t,s0)
 /usr/lib/systemd/systemd-networkd	--	gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
 /usr/lib/systemd/systemd-network-generator	--	gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
+/usr/lib/systemd/systemd-nsresourced	--	gen_context(system_u:object_r:systemd_nsresourced_exec_t,s0)
+/usr/lib/systemd/systemd-nsresourcework	--	gen_context(system_u:object_r:systemd_nsresourced_exec_t,s0)
 /usr/lib/systemd/systemd-pcrextend		--	gen_context(system_u:object_r:systemd_pcrphase_exec_t,s0)
 /usr/lib/systemd/systemd-pcrlock		--	gen_context(system_u:object_r:systemd_pcrphase_exec_t,s0)
 /usr/lib/systemd/systemd-pcrphase		--	gen_context(system_u:object_r:systemd_pcrphase_exec_t,s0)
@@ -116,6 +118,8 @@ HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_data
 /run/systemd/nspawn(/.*)?	gen_context(system_u:object_r:systemd_nspawn_runtime_t,s0)
 /run/systemd/machines(/.*)?	gen_context(system_u:object_r:systemd_machined_runtime_t,s0)
 /run/systemd/netif(/.*)?	gen_context(system_u:object_r:systemd_networkd_runtime_t,s0)
+/run/systemd/nsresource(/.*)?	gen_context(system_u:object_r:systemd_nsresourced_runtime_t,s0)
+/run/systemd/io\.systemd\.NamespaceResource	-s	gen_context(system_u:object_r:systemd_nsresourced_runtime_t,s0)
 
 /run/tmpfiles\.d	-d	gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)
 /run/tmpfiles\.d/.*		<<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index b9dbd97cc0..e62e8344a2 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -2234,6 +2234,27 @@ interface(`systemd_read_networkd_runtime',`
 	read_files_pattern($1, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
 ')
 
+#######################################
+## <summary>
+##  Connect to systemd-nsresourced over
+##  /run/systemd/io.systemd.NamespaceResource .
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`systemd_stream_connect_nsresourced', `
+	gen_require(`
+		type systemd_nsresourced_t;
+		type systemd_nsresourced_runtime_t;
+	')
+
+	init_search_runtime($1)
+	stream_connect_pattern($1, systemd_nsresourced_runtime_t, systemd_nsresourced_runtime_t, systemd_nsresourced_t)
+')
+
 ########################################
 ## <summary>
 ##     Allow systemd_logind_t to read process state for cgroup file
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index a4dd45a440..26d5a0ba2e 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -229,6 +229,13 @@ files_runtime_file(systemd_nspawn_runtime_t)
 type systemd_nspawn_tmp_t;
 files_tmp_file(systemd_nspawn_tmp_t)
 
+type systemd_nsresourced_t;
+type systemd_nsresourced_exec_t;
+init_daemon_domain(systemd_nsresourced_t, systemd_nsresourced_exec_t)
+
+type systemd_nsresourced_runtime_t;
+files_runtime_file(systemd_nsresourced_runtime_t)
+
 type systemd_pcrphase_t;
 type systemd_pcrphase_exec_t;
 init_system_domain(systemd_pcrphase_t, systemd_pcrphase_exec_t)
@@ -1487,6 +1494,31 @@ optional_policy(`
 	virt_manage_virt_content(systemd_nspawn_t)
 ')
 
+#########################################
+#
+# nsresourced local policy
+#
+
+allow systemd_nsresourced_t self:capability { sys_resource };
+allow systemd_nsresourced_t self:process { getcap signal };
+allow systemd_nsresourced_t systemd_nsresourced_exec_t:file execute_no_trans;
+
+manage_dirs_pattern(systemd_nsresourced_t, systemd_nsresourced_runtime_t, systemd_nsresourced_runtime_t)
+manage_files_pattern(systemd_nsresourced_t, systemd_nsresourced_runtime_t, systemd_nsresourced_runtime_t)
+manage_sock_files_pattern(systemd_nsresourced_t, systemd_nsresourced_runtime_t, systemd_nsresourced_runtime_t)
+init_runtime_filetrans(systemd_nsresourced_t, systemd_nsresourced_runtime_t, dir)
+
+fs_getattr_cgroup(systemd_nsresourced_t)
+
+# for /proc/1/environ
+init_read_state(systemd_nsresourced_t)
+
+kernel_read_kernel_sysctls(systemd_nsresourced_t)
+# for /proc/cmdline
+kernel_read_system_state(systemd_nsresourced_t)
+
+systemd_log_parse_environment(systemd_nsresourced_t)
+
 #######################################
 #
 # systemd_passwd_agent_t local policy
@@ -1804,6 +1836,8 @@ seutil_read_file_contexts(systemd_sysusers_t)
 
 systemd_log_parse_environment(systemd_sysusers_t)
 
+systemd_stream_connect_nsresourced(systemd_sysusers_t)
+
 #########################################
 #
 # Tmpfiles local policy
@@ -2106,6 +2140,8 @@ seutil_search_default_contexts(systemd_userdbd_t)
 
 systemd_log_parse_environment(systemd_userdbd_t)
 
+systemd_stream_connect_nsresourced(systemd_userdbd_t)
+
 #########################################
 #
 # systemd-user-runtime-dir local policy

From d852b75403909b9771de673a4d3f6e980c8a8848 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Fri, 30 Aug 2024 11:46:34 +0800
Subject: [PATCH 5/7] devices: add label vsock_device_t for /dev/vsock

Vsock is a Linux socket family designed to allow communication between a
VM and its hypervisor. Add a new label vsock_device_t for vsock device.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/kernel/devices.fc |  1 +
 policy/modules/kernel/devices.if | 54 ++++++++++++++++++++++++++++++++
 policy/modules/kernel/devices.te |  6 ++++
 3 files changed, 61 insertions(+)

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index fb3010308d..5d7d2a4c13 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -134,6 +134,7 @@ ifdef(`distro_suse', `
 ')
 /dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/vbox.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/vsock		-c	gen_context(system_u:object_r:vsock_device_t,s0)
 /dev/vfio/.+		-c      gen_context(system_u:object_r:vfio_device_t,s0)
 /dev/vga_arbiter	-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/vhci			-c	gen_context(system_u:object_r:vhost_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index f1485276f5..5f9419ce69 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -5556,6 +5556,60 @@ interface(`dev_rwx_vmware',`
 	allow $1 vmware_device_t:chr_file { execute map };
 ')
 
+########################################
+## <summary>
+##	Read the vsock device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_vsock',`
+	gen_require(`
+		type device_t, vsock_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, vsock_device_t)
+')
+
+########################################
+## <summary>
+##	Write the vsock device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_write_vsock',`
+	gen_require(`
+		type device_t, vsock_device_t;
+	')
+
+	write_chr_files_pattern($1, device_t, vsock_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write the vsock device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_vsock',`
+	gen_require(`
+		type device_t, vsock_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, vsock_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Read from watchdog devices.
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index c06a77ade3..255a30b091 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -402,6 +402,12 @@ dev_node(vhost_device_t)
 type vmware_device_t;
 dev_node(vmware_device_t)
 
+#
+# vsock_device_t is the type for /dev/vsock
+#
+type vsock_device_t;
+dev_node(vsock_device_t)
+
 type watchdog_device_t;
 dev_node(watchdog_device_t)
 

From 4f3437040ad678172f15868f2f75a568eff08d18 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Mon, 26 Aug 2024 19:48:29 +0800
Subject: [PATCH 6/7] systemd: fix policy for systemd-ssh-generator

Fixes:
avc:  denied  { getattr } for  pid=121 comm="systemd-ssh-gen"
path="/usr/sbin/sshd" dev="vda" ino=7787
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:sshd_exec_t tclass=file permissive=1

avc:  denied  { execute } for  pid=121 comm="systemd-ssh-gen"
name="sshd" dev="vda" ino=7787
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:sshd_exec_t tclass=file permissive=1

avc:  denied  { create } for  pid=121 comm="systemd-ssh-gen"
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:system_r:systemd_generator_t tclass=vsock_socket
permissive=1

avc:  denied  { read } for  pid=121 comm="systemd-ssh-gen" name="vsock"
dev="devtmpfs" ino=152 scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:device_t tclass=chr_file permissive=1

avc:  denied  { open } for  pid=121 comm="systemd-ssh-gen"
path="/dev/vsock" dev="devtmpfs" ino=152
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:device_t tclass=chr_file permissive=1

avc:  denied  { ioctl } for  pid=121 comm="systemd-ssh-gen"
path="/dev/vsock" dev="devtmpfs" ino=152 ioctlcmd=0x7b9
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:device_t tclass=chr_file permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/system/systemd.te | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 26d5a0ba2e..6d471d89bf 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -538,6 +538,8 @@ seutil_search_default_contexts(systemd_coredump_t)
 allow systemd_generator_t self:fifo_file rw_fifo_file_perms;
 allow systemd_generator_t self:capability { dac_override sys_admin sys_resource };
 allow systemd_generator_t self:process { getcap getsched setfscreate signal };
+# for systemd-ssh-generator
+allow systemd_generator_t self:vsock_socket create;
 
 corecmd_exec_shell(systemd_generator_t)
 corecmd_exec_bin(systemd_generator_t)
@@ -548,6 +550,8 @@ dev_write_sysfs_dirs(systemd_generator_t)
 dev_read_urand(systemd_generator_t)
 dev_create_sysfs_files(systemd_generator_t)
 dev_write_sysfs(systemd_generator_t)
+# for systemd-ssh-generator
+dev_read_vsock(systemd_generator_t)
 
 files_read_etc_files(systemd_generator_t)
 files_read_etc_runtime_files(systemd_generator_t)
@@ -635,6 +639,11 @@ optional_policy(`
 	rpc_read_exports(systemd_generator_t)
 ')
 
+optional_policy(`
+	# needed by systemd-ssh-generator
+	ssh_exec_sshd(systemd_generator_t)
+')
+
 optional_policy(`
 	# needed by zfs-mount-generator
 	zfs_read_config(systemd_generator_t)

From c20cf22142b10094b03b53f298126009c32b53dc Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Tue, 10 Sep 2024 15:45:32 +0800
Subject: [PATCH 7/7] systemd: allow systemd-hostnamed to read vsock device

Fixes:
avc:  denied  { read } for  pid=463 comm="systemd-hostnam" name="vsock"
dev="devtmpfs" ino=170 scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023
tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/system/systemd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 6d471d89bf..d58aba30b2 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -782,6 +782,7 @@ kernel_read_kernel_sysctls(systemd_hostnamed_t)
 kernel_dontaudit_getattr_proc(systemd_hostnamed_t)
 
 dev_read_sysfs(systemd_hostnamed_t)
+dev_read_vsock(systemd_hostnamed_t)
 
 files_read_etc_files(systemd_hostnamed_t)
 files_read_etc_runtime_files(systemd_hostnamed_t)