From 941e159bb33073b1045de7ecb8c17c6a6f648610 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 8 Jan 2025 16:26:15 +0100
Subject: [PATCH] Confine systemd system-ssh-generator

Resolves: RHEL-72549
---
 policy/modules/services/ssh.if   | 19 +++++++++++++++++++
 policy/modules/system/systemd.fc |  1 +
 policy/modules/system/systemd.te | 15 +++++++++++++++
 3 files changed, 35 insertions(+)

diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 7c0910213f..133932f136 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -1147,3 +1147,22 @@ interface(`ssh_read_state',`
 
 	read_files_pattern($1, ssh_t, ssh_t)
 ')
+
+########################################
+## <summary>
+##	Get attributes of sshd unit files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ssh_getattr_unit_file',`
+	gen_require(`
+		type sshd_unit_file_t;
+	')
+
+	systemd_search_unit_dirs($1)
+	allow $1 sshd_unit_file_t:file getattr_file_perms;
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 58297d5f3e..bcff326ffe 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -79,6 +79,7 @@ HOME_DIR/\.config/systemd/user(/.*)?		gen_context(system_u:object_r:systemd_unit
 /usr/lib/systemd/system-generators/systemd-fstab-generator	--	gen_context(system_u:object_r:systemd_fstab_generator_exec_t,s0)
 /usr/lib/systemd/system-generators/systemd-gpt-auto-generator	--	gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0)
 /usr/lib/systemd/system-generators/systemd-rc-local-generator	--	gen_context(system_u:object_r:systemd_rc_local_generator_exec_t,s0)
+/usr/lib/systemd/system-generators/systemd-ssh-generator	--	gen_context(system_u:object_r:systemd_ssh_generator_exec_t,s0)
 /usr/lib/systemd/system-generators/systemd-sysv-generator	--	gen_context(system_u:object_r:systemd_sysv_generator_exec_t,s0)
 /usr/lib/systemd/systemd-resolve(d|-host)			gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
 /usr/lib/systemd/systemd-importd		--	gen_context(system_u:object_r:systemd_importd_exec_t,s0)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index e370118d8c..25e4a5cd12 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -201,6 +201,8 @@ systemd_generator_template(systemd_fstab_generator)
 
 #domain for rc-local-generator
 systemd_generator_template(systemd_rc_local_generator)
+# ssh-generator
+systemd_generator_template(systemd_ssh_generator)
 
 #domain for sysv-generator
 systemd_generator_template(systemd_sysv_generator)
@@ -1288,6 +1290,19 @@ systemd_manage_all_unit_files(systemd_fstab_generator_t)
 
 init_exec_script_files(systemd_rc_local_generator_t)
 
+### ssh generator
+allow systemd_ssh_generator_t self:vsock_socket create;
+allow systemd_ssh_generator_t vsock_device_t:chr_file { read_chr_file_perms };
+
+kernel_read_sysctl(systemd_ssh_generator_t)
+
+dev_read_sysfs(systemd_ssh_generator_t)
+
+optional_policy(`
+	ssh_domtrans(systemd_ssh_generator_t)
+	ssh_getattr_unit_file(systemd_ssh_generator_t)
+')
+
 #######################################
 #
 # systemd_sysv_generator_t