Support using systemd containers

Resolves: rhbz#1900869

policy/modules/contrib/dbus.te

@@ -238,6 +238,10 @@ optional_policy(`
 	files_config_all_files(system_dbusd_t)
 ')
 
+optional_policy(`
+	term_use_generic_ptys(system_dbusd_t)
+')
+
 optional_policy(`
 	udev_read_db(system_dbusd_t)
 ')

policy/modules/kernel/filesystem.if

@@ -6229,6 +6229,25 @@ interface(`fs_manage_tmpfs_sockets',`
 	manage_sock_files_pattern($1, tmpfs_t, tmpfs_t)
 ')
 
+########################################
+## <summary>
+##	Write to socket files on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_write_tmpfs_socket_files',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	write_sock_files_pattern($1, tmpfs_t, tmpfs_t)
+	fs_search_tmpfs($1)
+')
+
 ########################################
 ## <summary>
 ##	Read and write, create and delete character

policy/modules/system/systemd.te

@@ -452,7 +452,7 @@ optional_policy(`
 allow systemd_machined_t self:capability { dac_read_search dac_override setgid sys_admin sys_chroot sys_ptrace kill };
 allow systemd_machined_t systemd_unit_file_t:service { status start stop };
 allow systemd_machined_t self:unix_dgram_socket create_socket_perms;
-allow systemd_machined_t self:cap_userns { sys_chroot };
+allow systemd_machined_t self:cap_userns { setgid setuid sys_admin sys_chroot sys_ptrace };
 
 manage_dirs_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
 manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
@@ -464,16 +464,21 @@ manage_files_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_mac
 manage_lnk_files_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t)
 init_var_lib_filetrans(systemd_machined_t, systemd_machined_var_lib_t, dir, "machines")
 
-fs_read_nsfs_files(systemd_machined_t)
-fs_write_cgroup_files(systemd_machined_t)
-
 kernel_dgram_send(systemd_machined_t)
 # This is a bug, but need for now.
 kernel_read_unlabeled_state(systemd_machined_t)
 
 domain_signal_all_domains(systemd_machined_t)
 domain_signull_all_domains(systemd_machined_t)
 
+files_read_var_lib_symlinks(systemd_machined_t)
+files_write_root_dirs(systemd_machined_t)
+
+fs_read_nsfs_files(systemd_machined_t)
+fs_read_tmpfs_symlinks(systemd_machined_t)
+fs_write_cgroup_files(systemd_machined_t)
+fs_write_tmpfs_socket_files(systemd_machined_t)
+
 init_dbus_chat(systemd_machined_t)
 init_status(systemd_machined_t)
 init_start(systemd_machined_t)
@@ -507,6 +512,15 @@ optional_policy(`
     mock_read_lib_files(systemd_machined_t)
 ')
 
+optional_policy(`
+	term_use_generic_ptys(systemd_machined_t)
+')
+
+optional_policy(`
+	unconfined_server_read_state(systemd_machined_t)
+	unconfined_server_stream_connectto(systemd_machined_t)
+')
+
 optional_policy(`
 	virt_dbus_chat(systemd_machined_t)
 	virt_sandbox_read_state(systemd_machined_t)

policy/modules/system/unconfined.if

@@ -429,3 +429,21 @@ interface(`unconfined_server_read_semaphores',`
 
 	allow $1 unconfined_service_t:sem r_sem_perms;
 ')
+
+#######################################
+## <summary>
+##	Allow the specified domain read unconfined service process state
+## </summary>
+##	<param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_server_read_state',`
+	gen_require(`
+		type unconfined_service_t;
+	')
+
+	ps_process_pattern($1, unconfined_service_t)
+')