From 928c820a1d73f217fefbce758eaa7730f0221792 Mon Sep 17 00:00:00 2001
From: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Date: Mon, 7 Apr 2025 10:58:35 -0600
Subject: [PATCH] refpolicy: files, init - filetrans /run/machine-id
 etc_runtime_t

Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 ...ultiple-filetrans-run_machine_id-etc.patch | 109 ++++++++++++++++++
 .../refpolicy/refpolicy_common.inc            |   1 +
 2 files changed, 110 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy/0062-policy-modules-multiple-filetrans-run_machine_id-etc.patch

diff --git a/recipes-security/refpolicy/refpolicy/0062-policy-modules-multiple-filetrans-run_machine_id-etc.patch b/recipes-security/refpolicy/refpolicy/0062-policy-modules-multiple-filetrans-run_machine_id-etc.patch
new file mode 100644
index 0000000..8cab157
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0062-policy-modules-multiple-filetrans-run_machine_id-etc.patch
@@ -0,0 +1,109 @@
+From befa4fcb91c883c9ff93f0080d12d3d5004dc8cc Mon Sep 17 00:00:00 2001
+From: Clayton Casciato <ccasciato@21sw.us>
+Date: Fri, 14 Mar 2025 09:04:49 -0600
+Subject: [PATCH] files, init: filetrans /run/machine-id etc_runtime_t
+
+type=PROCTITLE proctitle=/usr/lib/systemd/systemd-logind
+
+type=SYSCALL arch=armeb syscall=openat per=PER_LINUX success=yes exit=21
+a0=AT_FDCWD a1=0xb6eb6c2c a2=O_RDONLY|O_NOCTTY|O_NOFOLLOW|O_CLOEXEC
+a3=0x0 items=0 ppid=1 pid=435 auid=unset uid=root gid=root euid=root
+suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset
+comm=systemd-logind exe=/usr/lib/systemd/systemd-logind
+subj=system_u:system_r:systemd_logind_t:s0 key=(null)
+
+type=AVC avc:  denied  { open } for  pid=435 comm=systemd-logind
+path=/etc/machine-id dev="tmpfs" ino=13
+scontext=system_u:system_r:systemd_logind_t:s0
+tcontext=system_u:object_r:init_runtime_t:s0 tclass=file
+
+type=AVC avc:  denied  { read } for  pid=435 comm=systemd-logind
+name=machine-id dev="tmpfs" ino=13
+scontext=system_u:system_r:systemd_logind_t:s0
+tcontext=system_u:object_r:init_runtime_t:s0 tclass=file
+
+--
+
+https://www.spinics.net/lists/systemd-devel/msg09631.html
+Reproduction and suggestion to use dedicated type (TODO)
+
+--
+
+Fedora:
+
+$ matchpathcon /run/machine-id
+/run/machine-id system_u:object_r:machineid_t:s0
+
+https://github.com/fedora-selinux/selinux-policy/blob/v41.33/policy/modules/system/init.fc#L67
+
+$ sesearch --type_transition --class file --source init_t
+--target var_run_t | grep machine
+type_transition init_t var_run_t:file machineid_t machine-id;
+
+https://github.com/fedora-selinux/selinux-policy/blob/v41.33/policy/modules/system/init.te#L241
+
+Signed-off-by: Clayton Casciato <ccasciato@21sw.us>
+
+Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/commit/e053fced8c911bc390a81ca5ee7f3baccecb70e1]
+
+Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
+---
+ policy/modules/kernel/files.fc |  1 +
+ policy/modules/kernel/files.if | 19 +++++++++++++++++++
+ policy/modules/system/init.te  |  1 +
+ 3 files changed, 21 insertions(+)
+
+diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
+index c5012e6b4..3cdfd2f80 100644
+--- a/policy/modules/kernel/files.fc
++++ b/policy/modules/kernel/files.fc
+@@ -154,6 +154,7 @@ HOME_ROOT/lost\+found/.*	<<none>>
+ /run			-l	gen_context(system_u:object_r:var_run_t,s0)
+ /run/shm		-l	gen_context(system_u:object_r:var_run_t,s0)
+ /run/.*				<<none>>
++/run/machine-id		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+ 
+ #
+ # /selinux
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index f2c714579..9ade962a9 100644
+--- a/policy/modules/kernel/files.if
++++ b/policy/modules/kernel/files.if
+@@ -3734,6 +3734,25 @@ interface(`files_dontaudit_setattr_etc_runtime_files',`
+ 	dontaudit $1 etc_runtime_t:file setattr;
+ ')
+ 
++########################################
++## <summary>
++##	Create a machine-id file in
++##	the runtime directory
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_runtime_filetrans_machine_id',`
++	gen_require(`
++		type etc_runtime_t;
++	')
++
++	files_runtime_filetrans($1, etc_runtime_t, file, "machine-id")
++')
++
+ ########################################
+ ## <summary>
+ ##	Read files in /etc that are dynamically
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 8af34aa7e..026f77c16 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -178,6 +178,7 @@ allow init_t init_linkable_keyring_type:key link;
+ # For /var/run/shutdown.pid.
+ allow init_t init_runtime_t:file manage_file_perms;
+ files_runtime_filetrans(init_t, init_runtime_t, file)
++files_runtime_filetrans_machine_id(init_t)
+ 
+ # for /run/initctl
+ allow init_t init_runtime_t:fifo_file manage_fifo_file_perms;
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index 71b143b..c40d6e7 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -77,6 +77,7 @@ SRC_URI += " \
         file://0059-policy-modules-system-unconfined-fix-oddjob-security.patch \
         file://0060-policy-modules-services-firewalld-fix-lib_t-python_c.patch \
         file://0061-policy-modules-services-firewalld-fix-firewalld_t-fi.patch \
+        file://0062-policy-modules-multiple-filetrans-run_machine_id-etc.patch \
         "
 
 S = "${WORKDIR}/refpolicy"