From 2f172413e104c7ff5ad9799c2030464e29422d53 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Fri, 6 Oct 2023 11:10:48 +0200
Subject: [PATCH] Allow kernel_t to manage and relabel all files

Extend the abitlity to manage all files also to character & block
device files and also allow relabeling any file.

This is required for early boot overlay mounts to fully work, but may be
needed for other legitimate oprations as well.

See also: https://github.com/ostreedev/ostree/pull/3062

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/modules/kernel/files.if  | 38 +++++++++++++++++++++++++++++++++
 policy/modules/kernel/kernel.te |  3 +++
 2 files changed, 41 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 008b6ec719..d8bb82e7aa 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1839,6 +1839,44 @@ interface(`files_manage_all_files',`
 	')
 ')
 
+########################################
+## <summary>
+##	Manage all block device files on the filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_all_blk_files',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	manage_blk_files_pattern($1, file_type, file_type)
+')
+
+########################################
+## <summary>
+##	Manage all character device files on the filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_all_chr_files',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	manage_chr_files_pattern($1, file_type, file_type)
+')
+
 ########################################
 ## <summary>
 ##	Grant execute access to all files on the filesystem,
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index ccb914f4a4..9bb09e25f1 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -385,6 +385,9 @@ domain_rw_all_sockets(kernel_t)
 domain_obj_id_change_exemption(kernel_t)
 
 files_manage_all_files(kernel_t)
+files_manage_all_blk_files(kernel_t)
+files_manage_all_chr_files(kernel_t)
+files_relabel_all_files(kernel_t)
 # The 'execute' permission on lower inodes is checked against the mounter
 # cred by overlayfs, so we need to grant it to allow overlay mounts created
 # during early boot to work.