From abba0948a9c0dfcca7c0ea7f684966420847c12c Mon Sep 17 00:00:00 2001
From: Gabriel Valcazar <gabriel.valcazar@digi.com>
Date: Thu, 26 Aug 2021 18:31:43 +0200
Subject: [PATCH] refpolicy: adapt reference policy to DEY prebuilt image
 features

The default policy provided by meta-selinux breaks a lot of the features in
DEY, so adapt it to make most features work. Note that this is simply an
example, end users should create their own policies for their own needs.

Make these changes toggleable so that users can use the reference policy
instead.

https://onedigi.atlassian.net/browse/DEL-7641

Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
---
 .../conf/machine/include/digi-defaults.inc    |   3 +
 ...-Apply-rules-for-DEY-prebuilt-images.patch | 881 ++++++++++++++++++
 ...-executables-run-in-the-udev_t-realm.patch |  86 ++
 .../refpolicy/refpolicy-mcs_git.bbappend      |   1 +
 .../refpolicy/refpolicy-minimum_git.bbappend  |   1 +
 .../refpolicy/refpolicy-mls_git.bbappend      |   1 +
 .../refpolicy/refpolicy-standard_git.bbappend |   1 +
 .../refpolicy/refpolicy-targeted_git.bbappend |   1 +
 .../refpolicy/refpolicy_dey.inc               |   8 +
 9 files changed, 983 insertions(+)
 create mode 100644 meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/files/0001-Apply-rules-for-DEY-prebuilt-images.patch
 create mode 100644 meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/files/0002-Make-udevadm_t-executables-run-in-the-udev_t-realm.patch
 create mode 100644 meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-mcs_git.bbappend
 create mode 100644 meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-minimum_git.bbappend
 create mode 100644 meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-mls_git.bbappend
 create mode 100644 meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-standard_git.bbappend
 create mode 100644 meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-targeted_git.bbappend
 create mode 100644 meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy_dey.inc

diff --git a/meta-digi-arm/conf/machine/include/digi-defaults.inc b/meta-digi-arm/conf/machine/include/digi-defaults.inc
index 0c21fa198..8daf9a1f6 100644
--- a/meta-digi-arm/conf/machine/include/digi-defaults.inc
+++ b/meta-digi-arm/conf/machine/include/digi-defaults.inc
@@ -79,3 +79,6 @@ DEFAULT_IMAGE_NAME ??= "dey-image-qt"
 
 # List of graphical images names (for install scripts)
 GRAPHICAL_IMAGES ?= "dey-image-qt dey-image-webkit"
+
+# Include DEY SELinux policy modifications by default
+DEY_SELINUX_POLICY ?= "1"
diff --git a/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/files/0001-Apply-rules-for-DEY-prebuilt-images.patch b/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/files/0001-Apply-rules-for-DEY-prebuilt-images.patch
new file mode 100644
index 000000000..ae55f3c4f
--- /dev/null
+++ b/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/files/0001-Apply-rules-for-DEY-prebuilt-images.patch
@@ -0,0 +1,881 @@
+From: Gabriel Valcazar <gabriel.valcazar@digi.com>
+Date: Fri, 20 Aug 2021 11:59:27 +0200
+Subject: [PATCH 1/2] Apply rules for DEY prebuilt images
+
+These rules were obtained by putting the system's SELinux in permissive mode,
+extracting all of the AVC denials, and then running them through audit2allow.
+This allows to use most of the features that are expected to work out of the
+box in DEY.
+
+Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
+---
+ policy/modules/admin/alsa.te              | 10 +++++
+ policy/modules/admin/dmesg.te             |  7 ++++
+ policy/modules/admin/netutils.te          |  7 ++++
+ policy/modules/apps/pulseaudio.if         |  9 +++++
+ policy/modules/apps/pulseaudio.te         | 15 +++++++
+ policy/modules/kernel/corecommands.if     |  8 ++++
+ policy/modules/kernel/devices.if          | 48 +++++++++++++++++++++++
+ policy/modules/roles/sysadm.if            | 24 ++++++++++++
+ policy/modules/roles/sysadm.te            | 47 ++++++++++++++++++++++
+ policy/modules/services/acpi.if           |  8 ++++
+ policy/modules/services/acpi.te           | 20 ++++++++++
+ policy/modules/services/apache.if         |  8 ++++
+ policy/modules/services/bluetooth.if      | 10 +++++
+ policy/modules/services/bluetooth.te      | 10 +++++
+ policy/modules/services/consolekit.te     |  7 ++++
+ policy/modules/services/dbus.if           |  8 ++++
+ policy/modules/services/dbus.te           |  7 ++++
+ policy/modules/services/modemmanager.te   | 10 +++++
+ policy/modules/services/networkmanager.if |  8 ++++
+ policy/modules/services/networkmanager.te | 23 +++++++++++
+ policy/modules/system/init.te             |  7 ++++
+ policy/modules/system/libraries.if        |  8 ++++
+ policy/modules/system/locallogin.te       |  9 +++++
+ policy/modules/system/logging.if          |  8 ++++
+ policy/modules/system/logging.te          | 11 ++++++
+ policy/modules/system/modutils.te         |  8 ++++
+ policy/modules/system/mount.te            |  7 ++++
+ policy/modules/system/selinuxutil.te      |  8 ++++
+ policy/modules/system/sysnetwork.te       |  8 ++++
+ policy/modules/system/systemd.if          | 24 ++++++++++++
+ policy/modules/system/systemd.te          | 22 +++++++++++
+ policy/modules/system/udev.if             |  8 ++++
+ policy/modules/system/udev.te             |  7 ++++
+ policy/modules/system/userdomain.if       |  8 ++++
+ policy/modules/system/userdomain.te       |  7 ++++
+ policy/modules/system/xdg.if              | 16 ++++++++
+ 36 files changed, 460 insertions(+)
+
+diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
+index 09d590add..2762fc664 100644
+--- a/policy/modules/admin/alsa.te
++++ b/policy/modules/admin/alsa.te
+@@ -111,3 +111,13 @@ optional_policy(`
+ 	hal_use_fds(alsa_t)
+ 	hal_write_log(alsa_t)
+ ')
++
++########################################
++#
++# DEY custom rules
++#
++
++allow alsa_t var_lock_t:file { getattr lock open read write };
++
++allow alsa_t alsa_var_lib_t:lnk_file read;
++xdg_config_dirs_search(alsa_t)
+diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
+index 228baecd8..ccec67c80 100644
+--- a/policy/modules/admin/dmesg.te
++++ b/policy/modules/admin/dmesg.te
+@@ -60,3 +60,10 @@ optional_policy(`
+ optional_policy(`
+ 	udev_read_db(dmesg_t)
+ ')
++
++########################################
++#
++# DEY custom rules
++#
++
++corecmd_map_exec_bin_files(dmesg_t)
+diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
+index 5cdfe2196..31e9d970c 100644
+--- a/policy/modules/admin/netutils.te
++++ b/policy/modules/admin/netutils.te
+@@ -212,3 +212,10 @@ userdom_use_inherited_user_terminals(traceroute_t)
+ # nmap searches .
+ userdom_dontaudit_search_user_home_dirs(traceroute_t)
+ userdom_dontaudit_search_user_home_content(traceroute_t)
++
++########################################
++#
++# DEY custom rules
++#
++
++allow ping_t bin_t:file { execute map read };
+diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if
+index 1b9c6ccde..aeac19008 100644
+--- a/policy/modules/apps/pulseaudio.if
++++ b/policy/modules/apps/pulseaudio.if
+@@ -147,6 +147,15 @@ interface(`pulseaudio_signull',`
+ 	allow $1 pulseaudio_t:process signull;
+ ')
+ 
++interface(`pulseaudio_connectto',`
++	gen_require(`
++		type pulseaudio_t;
++	')
++
++	allow $1 pulseaudio_t:unix_stream_socket connectto;
++	allow $1 pulseaudio_t:fd use;
++')
++
+ ########################################
+ ## <summary>
+ ##	Use file descriptors for
+diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
+index 3a50fc5b2..ce24736f3 100644
+--- a/policy/modules/apps/pulseaudio.te
++++ b/policy/modules/apps/pulseaudio.te
+@@ -311,3 +311,18 @@ optional_policy(`
+ optional_policy(`
+ 	unconfined_signull(pulseaudio_client)
+ ')
++
++########################################
++#
++# DEY custom rules
++#
++
++allow pulseaudio_t self:capability net_admin;
++systemd_watch_logind_sessions_files(pulseaudio_t)
++allow pulseaudio_t user_runtime_root_t:dir { add_name create read remove_name write };
++allow pulseaudio_t user_runtime_root_t:file { create getattr lock open read unlink write };
++allow pulseaudio_t user_runtime_root_t:sock_file { create setattr };
++allow pulseaudio_t user_home_dir_t:dir create;
++dbus_write_sock_file(pulseaudio_t)
++sysadm_use_fds(pulseaudio_t)
++sysadm_connectto_socket(pulseaudio_t)
+diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
+index c605ca5f7..e7b41c32c 100644
+--- a/policy/modules/kernel/corecommands.if
++++ b/policy/modules/kernel/corecommands.if
+@@ -199,6 +199,14 @@ interface(`corecmd_check_exec_bin_files',`
+ 	allow $1 bin_t:file { execute getattr };
+ ')
+ 
++interface(`corecmd_map_exec_bin_files',`
++	gen_require(`
++		type bin_t;
++	')
++
++	allow $1 bin_t:file { execute map read };
++')
++
+ ########################################
+ ## <summary>
+ ##	Read files in bin directories.
+diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
+index 406b29796..e4ad0d3b8 100644
+--- a/policy/modules/kernel/devices.if
++++ b/policy/modules/kernel/devices.if
+@@ -2114,6 +2114,14 @@ interface(`dev_getattr_input_dev',`
+ 	allow $1 event_device_t:chr_file getattr;
+ ')
+ 
++interface(`dev_read_input_dev',`
++	gen_require(`
++		type event_device_t;
++	')
++
++	allow $1 event_device_t:chr_file read;
++')
++
+ ########################################
+ ## <summary>
+ ##	Set the attributes of the event devices.
+@@ -2260,6 +2268,38 @@ interface(`dev_dontaudit_setattr_framebuffer_dev',`
+ 	dontaudit $1 framebuf_device_t:chr_file setattr;
+ ')
+ 
++interface(`dev_read_write_framebuffer_dev',`
++	gen_require(`
++		type framebuf_device_t;
++	')
++
++	allow $1 framebuf_device_t:chr_file { read write };
++')
++
++interface(`dev_use_gpiochip',`
++	gen_require(`
++		type gpiochip_device_t;
++	')
++
++	allow $1 gpiochip_device_t:chr_file { ioctl open read write };
++')
++
++interface(`dev_use_watchdog',`
++	gen_require(`
++		type watchdog_device_t;
++	')
++
++	allow $1 watchdog_device_t:chr_file { ioctl open read write };
++')
++
++interface(`dev_use_wireless',`
++	gen_require(`
++		type wireless_device_t;
++	')
++
++	allow $1 wireless_device_t:chr_file { ioctl open read write };
++')
++
+ ########################################
+ ## <summary>
+ ##	Read the framebuffer.
+@@ -5064,6 +5104,14 @@ interface(`dev_dontaudit_getattr_video_dev',`
+ 	dontaudit $1 v4l_device_t:chr_file getattr;
+ ')
+ 
++interface(`dev_handle_video_dev',`
++	gen_require(`
++		type v4l_device_t;
++	')
++
++	allow $1 v4l_device_t:chr_file { ioctl map open read write };
++')
++
+ ########################################
+ ## <summary>
+ ##	Set the attributes of video4linux device nodes.
+diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if
+index 5c2871842..49416d26e 100644
+--- a/policy/modules/roles/sysadm.if
++++ b/policy/modules/roles/sysadm.if
+@@ -211,6 +211,14 @@ interface(`sysadm_sigchld',`
+ 	allow $1 sysadm_t:process sigchld;
+ ')
+ 
++interface(`sysadm_transition',`
++	gen_require(`
++		type sysadm_t;
++	')
++
++	allow $1 sysadm_t:process transition;
++')
++
+ ########################################
+ ## <summary>
+ ##	Inherit and use sysadm file descriptors
+@@ -229,6 +237,22 @@ interface(`sysadm_use_fds',`
+ 	allow $1 sysadm_t:fd use;
+ ')
+ 
++interface(`sysadm_connectto_socket',`
++	gen_require(`
++		type sysadm_t;
++	')
++
++	allow $1 sysadm_t:unix_stream_socket connectto;
++')
++
++interface(`sysadm_sendto_unix_dgram_socket',`
++	gen_require(`
++		type sysadm_t;
++	')
++
++	allow $1 sysadm_t:unix_dgram_socket sendto;
++')
++
+ ########################################
+ ## <summary>
+ ##	Read and write sysadm user unnamed pipes.
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index 310a4fad2..4a3dc7a58 100644
+--- a/policy/modules/roles/sysadm.te
++++ b/policy/modules/roles/sysadm.te
+@@ -1375,3 +1375,50 @@ ifndef(`distro_redhat',`
+ 	')
+ ')
+ 
++########################################
++#
++# DEY custom rules
++#
++
++allow sysadm_t init_exec_t:file entrypoint;
++allow sysadm_t init_t:unix_stream_socket { ioctl read write };
++allow sysadm_t self:capability audit_write;
++allow sysadm_t self:system reload;
++allow sysadm_t user_runtime_root_t:blk_file create;
++allow sysadm_t user_runtime_root_t:chr_file create;
++allow sysadm_t usr_t:file execute;
++
++allow sysadm_t device_t:chr_file { create ioctl open read write };
++dev_read_write_framebuffer_dev(sysadm_t)
++allow sysadm_t initrc_t:unix_stream_socket connectto;
++pulseaudio_connectto(sysadm_t)
++
++#!!!! This avc can be allowed using the boolean 'allow_execmem'
++allow sysadm_t self:process execmem;
++allow sysadm_t usr_t:file execute_no_trans;
++
++allow sysadm_t user_tmpfs_t:file { execmod execute };
++
++dev_use_gpiochip(sysadm_t)
++allow sysadm_t kernel_t:system module_request;
++allow sysadm_t self:can_socket { bind create getopt read setopt write };
++dev_use_watchdog(sysadm_t)
++
++networkmanager_sendto_unix_dgram_socket(sysadm_t)
++allow sysadm_t initrc_t:fd use;
++xdg_dir_watch(sysadm_t)
++
++allow sysadm_t device_t:chr_file map;
++allow sysadm_t device_t:dir watch;
++allow sysadm_t framebuf_device_t:chr_file { ioctl open };
++apache_execute_runtime_files(sysadm_t)
++dev_handle_video_dev(sysadm_t)
++
++allow sysadm_t self:bluetooth_socket create;
++allow sysadm_t self:process execstack;
++
++allow sysadm_t self:bluetooth_socket ioctl;
++
++dev_manage_dri_dev(sysadm_t)
++allow sysadm_t self:netlink_route_socket nlmsg_write;
++allow sysadm_t semanage_t:process { noatsecure rlimitinh siginh };
+diff --git a/policy/modules/services/acpi.if b/policy/modules/services/acpi.if
+index e6805e1d3..849e3ea15 100644
+--- a/policy/modules/services/acpi.if
++++ b/policy/modules/services/acpi.if
+@@ -119,6 +119,14 @@ interface(`acpi_append_log',`
+ 	allow $1 acpid_log_t:file append_file_perms;
+ ')
+ 
++interface(`acpi_write_lock',`
++	gen_require(`
++		type acpid_lock_t;
++	')
++
++	allow $1 acpid_lock_t:file write;
++')
++
+ ########################################
+ ## <summary>
+ ##	Connect to apmd over an unix
+diff --git a/policy/modules/services/acpi.te b/policy/modules/services/acpi.te
+index 26d16a369..c54302289 100644
+--- a/policy/modules/services/acpi.te
++++ b/policy/modules/services/acpi.te
+@@ -235,3 +235,23 @@ optional_policy(`
+ optional_policy(`
+ 	xserver_domtrans(acpid_t)
+ ')
++
++########################################
++#
++# DEY custom rules
++#
++
++bluetooth_manage_config(acpid_t)
++kernel_search_debugfs(acpid_t)
++init_read_utmp(acpid_t)
++allow acpid_t self:bluetooth_socket { bind create ioctl write };
++allow acpid_t self:capability { net_admin net_raw };
++allow acpid_t self:process { getsched setpgid };
++allow acpid_t var_log_t:file { open write };
++
++dev_use_gpiochip(acpid_t)
++allow acpid_t self:bluetooth_socket listen;
++
++#!!!! This avc can be allowed using the boolean 'allow_ypbind'
++allow acpid_t self:capability net_bind_service;
++dev_use_wireless(acpid_t)
+diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
+index 71696f051..366f5fdeb 100644
+--- a/policy/modules/services/apache.if
++++ b/policy/modules/services/apache.if
+@@ -1319,6 +1319,14 @@ interface(`apache_cgi_domain',`
+ 	allow httpd_t $1:process signal;
+ ')
+ 
++interface(`apache_execute_runtime_files',`
++	gen_require(`
++		type httpd_runtime_t;
++	')
++
++	allow $1 httpd_runtime_t:file execute;
++')
++
+ ########################################
+ ## <summary>
+ ##	All of the rules required to
+diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
+index e35e86312..1580a772c 100644
+--- a/policy/modules/services/bluetooth.if
++++ b/policy/modules/services/bluetooth.if
+@@ -107,6 +107,16 @@ interface(`bluetooth_read_config',`
+ 	allow $1 bluetooth_conf_t:file read_file_perms;
+ ')
+ 
++interface(`bluetooth_manage_config',`
++	gen_require(`
++		type bluetooth_conf_t, bluetooth_t;
++	')
++
++	allow $1 bluetooth_conf_t:dir search;
++	allow $1 bluetooth_conf_t:file { open read };
++	allow $1 bluetooth_t:process signal;
++')
++
+ ########################################
+ ## <summary>
+ ##	Send and receive messages from
+diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
+index 63e50aeda..ec822154f 100644
+--- a/policy/modules/services/bluetooth.te
++++ b/policy/modules/services/bluetooth.te
+@@ -223,3 +223,13 @@ optional_policy(`
+ optional_policy(`
+ 	xserver_user_x_domain_template(bluetooth_helper, bluetooth_helper_t, bluetooth_helper_tmpfs_t)
+ ')
++
++########################################
++#
++# DEY custom rules
++#
++
++logging_allow_write_generic_logs(bluetooth_t)
++
++allow bluetooth_t self:alg_socket { bind create };
++allow bluetooth_t syslogd_runtime_t:sock_file write;
+diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
+index 105bd45c7..292fd5074 100644
+--- a/policy/modules/services/consolekit.te
++++ b/policy/modules/services/consolekit.te
+@@ -172,3 +172,10 @@ optional_policy(`
+ optional_policy(`
+ 	unconfined_stream_connect(consolekit_t)
+ ')
++
++########################################
++#
++# DEY custom rules
++#
++
++allow consolekit_t var_log_t:dir create;
+diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
+index 146262d88..f59642950 100644
+--- a/policy/modules/services/dbus.if
++++ b/policy/modules/services/dbus.if
+@@ -165,6 +165,14 @@ interface(`dbus_connect_all_session_bus',`
+ 	allow $1 session_bus_type:dbus acquire_svc;
+ ')
+ 
++interface(`dbus_write_sock_file',`
++	gen_require(`
++		type session_dbusd_runtime_t;
++	')
++
++	allow $1 session_dbusd_runtime_t:sock_file write;
++')
++
+ #######################################
+ ## <summary>
+ ##	Acquire service on specified
+diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
+index 8ae5c8d93..bcf8b9677 100644
+--- a/policy/modules/services/dbus.te
++++ b/policy/modules/services/dbus.te
+@@ -315,3 +315,10 @@ optional_policy(`
+ 
+ allow dbusd_unconfined { dbusd_session_bus_client dbusd_system_bus_client }:dbus send_msg;
+ allow dbusd_unconfined { system_dbusd_t session_bus_type }:dbus all_dbus_perms;
++
++########################################
++#
++# DEY custom rules
++#
++
++allow system_dbusd_t syslogd_runtime_t:sock_file write;
+diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te
+index 784221a03..1f6f698c2 100644
+--- a/policy/modules/services/modemmanager.te
++++ b/policy/modules/services/modemmanager.te
+@@ -58,3 +58,13 @@ optional_policy(`
+ 	udev_read_db(modemmanager_t)
+ 	udev_manage_runtime_files(modemmanager_t)
+ ')
++
++########################################
++#
++# DEY custom rules
++#
++
++allow modemmanager_t self:process setsched;
++allow modemmanager_t syslogd_runtime_t:sock_file write;
++
++allow modemmanager_t self:capability sys_nice;
+diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if
+index ef738db1e..7e203a0d2 100644
+--- a/policy/modules/services/networkmanager.if
++++ b/policy/modules/services/networkmanager.if
+@@ -171,6 +171,14 @@ interface(`networkmanager_signal',`
+ 	allow $1 NetworkManager_t:process signal;
+ ')
+ 
++interface(`networkmanager_sendto_unix_dgram_socket',`
++	gen_require(`
++		type NetworkManager_t;
++	')
++
++	allow $1 NetworkManager_t:unix_dgram_socket sendto;
++')
++
+ ########################################
+ ## <summary>
+ ##	Watch networkmanager etc dirs.
+diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
+index ce48909dd..e5f9e5da0 100644
+--- a/policy/modules/services/networkmanager.te
++++ b/policy/modules/services/networkmanager.te
+@@ -397,3 +397,26 @@ init_use_script_ptys(wpa_cli_t)
+ miscfiles_read_localization(wpa_cli_t)
+ 
+ term_dontaudit_use_console(wpa_cli_t)
++
++########################################
++#
++# DEY custom rules
++#
++
++allow NetworkManager_t device_t:chr_file { ioctl open read write };
++libs_watch(NetworkManager_t)
++fs_read_nsfs_files(NetworkManager_t)
++systemd_watch_logind_runtime_files(NetworkManager_t)
++systemd_watch_machines(NetworkManager_t)
++systemd_watch_logind_sessions_files(NetworkManager_t)
++
++sysadm_sendto_unix_dgram_socket(NetworkManager_t)
++
++allow NetworkManager_t etc_t:dir watch;
++
++acpi_use_fds(NetworkManager_t)
++consolekit_watch_runtime_dir(NetworkManager_t)
++
++acpi_write_lock(NetworkManager_t)
++acpi_append_log(NetworkManager_t)
++dev_read_input_dev(NetworkManager_t)
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 6b6b723b8..f43acf976 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -1486,3 +1486,10 @@ optional_policy(`
+ 	userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
+ 	userdom_dontaudit_write_user_tmp_files(systemprocess)
+ ')
++
++########################################
++#
++# DEY custom rules
++#
++
++sysadm_transition(init_t)
+diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
+index d1379fbe6..dc25cb26f 100644
+--- a/policy/modules/system/libraries.if
++++ b/policy/modules/system/libraries.if
+@@ -251,6 +251,14 @@ interface(`libs_manage_lib_dirs',`
+ 	allow $1 lib_t:dir manage_dir_perms;
+ ')
+ 
++interface(`libs_watch',`
++	gen_require(`
++		type lib_t;
++	')
++
++	allow $1 lib_t:dir watch;
++')
++
+ ########################################
+ ## <summary>
+ ##	dontaudit attempts to setattr on library files
+diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
+index 971ca40e5..da4689d33 100644
+--- a/policy/modules/system/locallogin.te
++++ b/policy/modules/system/locallogin.te
+@@ -289,3 +289,12 @@ optional_policy(`
+ optional_policy(`
+ 	nscd_use(sulogin_t)
+ ')
++
++########################################
++#
++# DEY custom rules
++#
++
++allow local_login_t init_runtime_t:sock_file write;
++allow local_login_t initrc_t:unix_stream_socket connectto;
++allow local_login_t syslogd_runtime_t:sock_file write;
+diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
+index e3cbe4f1a..81a512e7b 100644
+--- a/policy/modules/system/logging.if
++++ b/policy/modules/system/logging.if
+@@ -1261,6 +1261,14 @@ interface(`logging_dontaudit_write_generic_logs',`
+ 	dontaudit $1 var_log_t:file write;
+ ')
+ 
++interface(`logging_allow_write_generic_logs',`
++	gen_require(`
++		type var_log_t;
++	')
++
++	allow $1 var_log_t:file { getattr write };
++')
++
+ ########################################
+ ## <summary>
+ ##	Read and write generic log files.
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index c22613c0b..b332aeb21 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -627,3 +627,14 @@ optional_policy(`
+ 	# log to the xconsole
+ 	xserver_rw_console(syslogd_t)
+ ')
++
++########################################
++#
++# DEY custom rules
++#
++
++allow klogd_t bin_t:file { execute map read };
++
++allow syslogd_t bin_t:file { execute map read };
++udevadm_signull(syslogd_t)
++userdom_manage_user_runtime_root_dirs(syslogd_t)
+diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
+index 8fd009742..8c9056ead 100644
+--- a/policy/modules/system/modutils.te
++++ b/policy/modules/system/modutils.te
+@@ -195,3 +195,11 @@ optional_policy(`
+ 	xserver_getattr_log(kmod_t)
+ ')
+ 
++########################################
++#
++# DEY custom rules
++#
++
++acpi_write_lock(kmod_t)
++acpi_append_log(kmod_t)
++dev_read_input_dev(kmod_t)
+diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
+index 5bb4fe631..ddd6ce396 100644
+--- a/policy/modules/system/mount.te
++++ b/policy/modules/system/mount.te
+@@ -230,3 +230,10 @@ optional_policy(`
+ 	files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
+ 	unconfined_domain(unconfined_mount_t)
+ ')
++
++########################################
++#
++# DEY custom rules
++#
++
++userdom_append_getattr(mount_t)
+diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
+index 09fef149b..3fd8b81c5 100644
+--- a/policy/modules/system/selinuxutil.te
++++ b/policy/modules/system/selinuxutil.te
+@@ -691,3 +691,11 @@ optional_policy(`
+ optional_policy(`
+ 	hotplug_use_fds(setfiles_t)
+ ')
++
++########################################
++#
++# DEY custom rules
++#
++
++allow semanage_t load_policy_t:process { noatsecure rlimitinh siginh };
++allow semanage_t setfiles_t:process { noatsecure rlimitinh siginh };
+diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
+index a77738924..28d7f42bb 100644
+--- a/policy/modules/system/sysnetwork.te
++++ b/policy/modules/system/sysnetwork.te
+@@ -424,3 +424,11 @@ optional_policy(`
+ 	xen_append_log(ifconfig_t)
+ 	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
+ ')
++
++########################################
++#
++# DEY custom rules
++#
++
++allow ifconfig_t bin_t:file { execute map read };
++userdom_append_getattr(ifconfig_t);
+diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
+index b81300835..622682107 100644
+--- a/policy/modules/system/systemd.if
++++ b/policy/modules/system/systemd.if
+@@ -234,6 +234,14 @@ interface(`systemd_read_logind_runtime_files',`
+ 	allow $1 systemd_logind_runtime_t:file read_file_perms;
+ ')
+ 
++interface(`systemd_watch_logind_runtime_files',`
++	gen_require(`
++		type systemd_logind_runtime_t;
++	')
++
++	allow $1 systemd_logind_runtime_t:dir watch;
++')
++
+ ######################################
+ ## <summary>
+ ##   Manage systemd-logind runtime pipes.
+@@ -313,6 +321,14 @@ interface(`systemd_read_logind_sessions_files',`
+ 	read_files_pattern($1, systemd_sessions_runtime_t, systemd_sessions_runtime_t)
+ ')
+ 
++interface(`systemd_watch_logind_sessions_files',`
++	gen_require(`
++		type systemd_sessions_runtime_t;
++	')
++
++	allow $1 systemd_sessions_runtime_t:dir watch;
++')
++
+ ######################################
+ ## <summary>
+ ##      Write inherited logind sessions pipes.
+@@ -445,6 +461,14 @@ interface(`systemd_read_machines',`
+ 	allow $1 systemd_machined_runtime_t:file read_file_perms;
+ ')
+ 
++interface(`systemd_watch_machines',`
++	gen_require(`
++		type systemd_machined_runtime_t;
++	')
++
++	allow $1 systemd_machined_runtime_t:dir watch;
++')
++
+ ########################################
+ ## <summary>
+ ##   Send and receive messages from
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 7e573645b..4efc91a9b 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -1420,3 +1420,25 @@ userdom_mounton_user_runtime_dirs(systemd_user_runtime_dir_t)
+ userdom_relabelto_user_runtime_dirs(systemd_user_runtime_dir_t)
+ 
+ dbus_system_bus_client(systemd_user_runtime_dir_t)
++
++########################################
++#
++# DEY custom rules
++#
++
++allow systemd_backlight_t sysctl_kernel_t:dir search;
++allow systemd_backlight_t sysctl_kernel_t:file { getattr ioctl open read };
++allow systemd_backlight_t sysctl_t:dir search;
++
++allow systemd_generator_t cgroup_t:filesystem getattr;
++allow systemd_generator_t removable_device_t:blk_file { getattr ioctl open read };
++allow systemd_generator_t self:capability dac_override;
++allow systemd_generator_t self:process setfscreate;
++allow systemd_generator_t tmpfs_t:filesystem getattr;
++
++allow systemd_logind_t initrc_runtime_t:file watch;
++allow systemd_logind_t initrc_t:unix_stream_socket connectto;
++
++allow systemd_resolved_t system_dbusd_runtime_t:dir read;
++allow systemd_resolved_t systemd_resolved_runtime_t:lnk_file { create rename };
++allow systemd_resolved_t system_dbusd_runtime_t:sock_file read;
+diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
+index bdfd373da..468f83d2e 100644
+--- a/policy/modules/system/udev.if
++++ b/policy/modules/system/udev.if
+@@ -597,3 +597,11 @@ interface(`udevadm_exec',`
+ 
+ 	can_exec($1, udevadm_exec_t)
+ ')
++
++interface(`udevadm_signull',`
++	gen_require(`
++		type udevadm_t;
++	')
++
++	allow $1 udevadm_t:process signull;
++')
+diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
+index e483d63d3..2bd2fcdc7 100644
+--- a/policy/modules/system/udev.te
++++ b/policy/modules/system/udev.te
+@@ -427,3 +427,10 @@ seutil_read_file_contexts(udevadm_t)
+ 
+ init_dontaudit_use_fds(udevadm_t)
+ term_dontaudit_use_console(udevadm_t)
++
++########################################
++#
++# DEY custom rules
++#
++
++allow udev_t init_t:system start;
+diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
+index 5aab9ada7..eb1d5ffbf 100644
+--- a/policy/modules/system/userdomain.if
++++ b/policy/modules/system/userdomain.if
+@@ -4361,6 +4361,14 @@ interface(`userdom_write_user_tmp_files',`
+ 	allow $1 user_tmp_t:file write_file_perms;
+ ')
+ 
++interface(`userdom_append_getattr',`
++	gen_require(`
++		type user_tmp_t;
++	')
++
++	allow $1 user_tmp_t:file { append getattr };
++')
++
+ ########################################
+ ## <summary>
+ ##      Do not audit attempts to write users
+diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
+index ce69ca10b..5cb2f75bc 100644
+--- a/policy/modules/system/userdomain.te
++++ b/policy/modules/system/userdomain.te
+@@ -130,3 +130,10 @@ files_poly_member(user_runtime_t)
+ files_poly_parent(user_runtime_t)
+ ubac_constrained(user_runtime_t)
+ userdom_user_runtime_content(user_runtime_t)
++
++########################################
++#
++# DEY custom rules
++#
++
++dev_associate(user_tmpfs_t)
+diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
+index 11fc43069..801c79d40 100644
+--- a/policy/modules/system/xdg.if
++++ b/policy/modules/system/xdg.if
+@@ -215,6 +215,14 @@ interface(`xdg_create_cache_dirs',`
+ 	allow $1 xdg_cache_t:dir create_dir_perms;
+ ')
+ 
++interface(`xdg_dir_watch',`
++	gen_require(`
++		type xdg_cache_t;
++	')
++
++	allow $1 xdg_cache_t:dir watch;
++')
++
+ ########################################
+ ## <summary>
+ ##	Manage the xdg cache home files
+@@ -465,6 +473,14 @@ interface(`xdg_create_config_dirs',`
+ 	allow $1 xdg_config_t:dir create_dir_perms;
+ ')
+ 
++interface(`xdg_config_dirs_search',`
++	gen_require(`
++		type xdg_config_t;
++	')
++
++	allow $1 xdg_config_t:dir search;
++')
++
+ ########################################
+ ## <summary>
+ ##	Manage the xdg config home files
diff --git a/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/files/0002-Make-udevadm_t-executables-run-in-the-udev_t-realm.patch b/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/files/0002-Make-udevadm_t-executables-run-in-the-udev_t-realm.patch
new file mode 100644
index 000000000..04d5e0eb5
--- /dev/null
+++ b/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/files/0002-Make-udevadm_t-executables-run-in-the-udev_t-realm.patch
@@ -0,0 +1,86 @@
+From: Gabriel Valcazar <gabriel.valcazar@digi.com>
+Date: Fri, 20 Aug 2021 15:06:12 +0200
+Subject: [PATCH 2/2] Make udevadm_t executables run in the udev_t realm
+
+This prevents SELinux from denying udev activity in DEY. This is a partial port
+of the following commit:
+
+https://www.spinics.net/lists/selinux-refpolicy/msg00805.html
+
+Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
+---
+ policy/modules/system/udev.fc | 4 ++--
+ policy/modules/system/udev.if | 4 ++--
+ policy/modules/system/udev.te | 6 +++---
+ 3 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
+index ceb5b70b3..36d91f3a2 100644
+--- a/policy/modules/system/udev.fc
++++ b/policy/modules/system/udev.fc
+@@ -10,7 +10,7 @@
+ /etc/udev/scripts/.+ --	gen_context(system_u:object_r:udev_helper_exec_t,s0)
+ 
+ /usr/bin/udev		--	gen_context(system_u:object_r:udev_exec_t,s0)
+-/usr/bin/udevadm	--	gen_context(system_u:object_r:udevadm_exec_t,s0)
++/usr/bin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
+ /usr/bin/udevd		--	gen_context(system_u:object_r:udev_exec_t,s0)
+ /usr/bin/udevinfo	--	gen_context(system_u:object_r:udev_exec_t,s0)
+ /usr/bin/udevsend	--	gen_context(system_u:object_r:udev_exec_t,s0)
+@@ -22,7 +22,7 @@ ifdef(`distro_debian',`
+ ')
+ 
+ /usr/sbin/udev		--	gen_context(system_u:object_r:udev_exec_t,s0)
+-/usr/sbin/udevadm	--	gen_context(system_u:object_r:udevadm_exec_t,s0)
++/usr/sbin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
+ /usr/sbin/udevd		--	gen_context(system_u:object_r:udev_exec_t,s0)
+ /usr/sbin/udevsend	--	gen_context(system_u:object_r:udev_exec_t,s0)
+ /usr/sbin/udevstart	--	gen_context(system_u:object_r:udev_exec_t,s0)
+diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
+index 468f83d2e..1b37166d2 100644
+--- a/policy/modules/system/udev.if
++++ b/policy/modules/system/udev.if
+@@ -548,10 +548,10 @@ interface(`udev_manage_runtime_files',`
+ #
+ interface(`udevadm_domtrans',`
+ 	gen_require(`
+-		type udevadm_t, udevadm_exec_t;
++		type udevadm_t, udev_exec_t;
+ 	')
+ 
+-	domtrans_pattern($1, udevadm_exec_t, udevadm_t)
++	domtrans_pattern($1, udev_exec_t, udevadm_t)
+ ')
+ 
+ ########################################
+diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
+index 2bd2fcdc7..3bfde5bef 100644
+--- a/policy/modules/system/udev.te
++++ b/policy/modules/system/udev.te
+@@ -8,6 +8,7 @@ attribute_role udevadm_roles;
+ 
+ type udev_t;
+ type udev_exec_t;
++typealias udev_exec_t alias udevadm_exec_t;
+ type udev_helper_exec_t;
+ kernel_domtrans_to(udev_t, udev_exec_t)
+ domain_obj_id_change_exemption(udev_t)
+@@ -17,9 +18,7 @@ init_daemon_domain(udev_t, udev_exec_t)
+ init_named_socket_activation(udev_t, udev_runtime_t)
+ 
+ type udevadm_t;
+-type udevadm_exec_t;
+-init_system_domain(udevadm_t, udevadm_exec_t)
+-application_domain(udevadm_t, udevadm_exec_t)
++application_domain(udevadm_t, udev_exec_t)
+ role udevadm_roles types udevadm_t;
+ 
+ type udev_etc_t alias etc_udev_t;
+@@ -86,6 +85,7 @@ manage_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
+ manage_lnk_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
+ manage_sock_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
+ files_runtime_filetrans(udev_t, udev_runtime_t, dir, "udev")
++allow udev_t udev_runtime_t:dir watch;
+ 
+ kernel_load_module(udev_t)
+ kernel_read_system_state(udev_t)
diff --git a/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-mcs_git.bbappend b/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-mcs_git.bbappend
new file mode 100644
index 000000000..8538fe7b8
--- /dev/null
+++ b/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-mcs_git.bbappend
@@ -0,0 +1 @@
+include refpolicy_dey.inc
diff --git a/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-minimum_git.bbappend b/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-minimum_git.bbappend
new file mode 100644
index 000000000..8538fe7b8
--- /dev/null
+++ b/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-minimum_git.bbappend
@@ -0,0 +1 @@
+include refpolicy_dey.inc
diff --git a/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-mls_git.bbappend b/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-mls_git.bbappend
new file mode 100644
index 000000000..8538fe7b8
--- /dev/null
+++ b/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-mls_git.bbappend
@@ -0,0 +1 @@
+include refpolicy_dey.inc
diff --git a/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-standard_git.bbappend b/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-standard_git.bbappend
new file mode 100644
index 000000000..8538fe7b8
--- /dev/null
+++ b/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-standard_git.bbappend
@@ -0,0 +1 @@
+include refpolicy_dey.inc
diff --git a/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-targeted_git.bbappend b/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-targeted_git.bbappend
new file mode 100644
index 000000000..8538fe7b8
--- /dev/null
+++ b/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-targeted_git.bbappend
@@ -0,0 +1 @@
+include refpolicy_dey.inc
diff --git a/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy_dey.inc b/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy_dey.inc
new file mode 100644
index 000000000..89fdfe092
--- /dev/null
+++ b/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/refpolicy_dey.inc
@@ -0,0 +1,8 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+
+DEY_POLICY_PATCHES = " \
+    file://0001-Apply-rules-for-DEY-prebuilt-images.patch \
+    file://0002-Make-udevadm_t-executables-run-in-the-udev_t-realm.patch \
+"
+
+SRC_URI += " ${@oe.utils.conditional('DEY_SELINUX_POLICY', '1', '${DEY_POLICY_PATCHES}', '', d)}"