meta-digi/meta-digi-dey/dynamic-layers/selinux/recipes-security/refpolicy/files/0001-Apply-rules-for-DEY-pr...

From: Gabriel Valcazar <gabriel.valcazar@digi.com>
Date: Fri, 20 Aug 2021 11:59:27 +0200
Subject: [PATCH] Apply rules for DEY prebuilt images

These rules were obtained by putting the system's SELinux in permissive mode,
extracting all of the AVC denials, and then running them through audit2allow.
This allows to use most of the features that are expected to work out of the
box in DEY.

Signed-off-by: Gabriel Valcazar <gabriel.valcazar@digi.com>
---
 policy/modules/admin/alsa.te              | 10 +++++
 policy/modules/admin/dmesg.te             |  7 ++++
 policy/modules/admin/netutils.te          |  7 ++++
 policy/modules/apps/pulseaudio.if         |  9 +++++
 policy/modules/apps/pulseaudio.te         | 15 +++++++
 policy/modules/kernel/corecommands.if     |  8 ++++
 policy/modules/kernel/devices.if          | 48 +++++++++++++++++++++++
 policy/modules/roles/sysadm.if            | 24 ++++++++++++
 policy/modules/roles/sysadm.te            | 48 +++++++++++++++++++++++
 policy/modules/services/acpi.if           |  8 ++++
 policy/modules/services/acpi.te           | 20 ++++++++++
 policy/modules/services/apache.if         |  8 ++++
 policy/modules/services/bluetooth.if      | 10 +++++
 policy/modules/services/bluetooth.te      | 10 +++++
 policy/modules/services/dbus.if           | 16 ++++++++
 policy/modules/services/dbus.te           |  7 ++++
 policy/modules/services/modemmanager.te   | 10 +++++
 policy/modules/services/networkmanager.if |  8 ++++
 policy/modules/services/networkmanager.te | 22 +++++++++++
 policy/modules/system/init.te             |  7 ++++
 policy/modules/system/libraries.if        |  8 ++++
 policy/modules/system/locallogin.te       |  9 +++++
 policy/modules/system/logging.if          |  8 ++++
 policy/modules/system/logging.te          | 11 ++++++
 policy/modules/system/modutils.te         |  9 +++++
 policy/modules/system/mount.te            |  7 ++++
 policy/modules/system/selinuxutil.te      |  8 ++++
 policy/modules/system/sysnetwork.te       |  8 ++++
 policy/modules/system/systemd.if          | 24 ++++++++++++
 policy/modules/system/systemd.te          | 22 +++++++++++
 policy/modules/system/udev.if             |  8 ++++
 policy/modules/system/udev.te             |  7 ++++
 policy/modules/system/userdomain.if       |  8 ++++
 policy/modules/system/userdomain.te       |  7 ++++
 policy/modules/system/xdg.if              | 16 ++++++++
 35 files changed, 462 insertions(+)

diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
index 55f39a135..4a0c213d0 100644
--- a/policy/modules/admin/alsa.te
+++ b/policy/modules/admin/alsa.te
@@ -106,3 +106,13 @@ miscfiles_read_localization(alsa_t)
 userdom_manage_unpriv_user_semaphores(alsa_t)
 userdom_manage_unpriv_user_shared_mem(alsa_t)
 userdom_search_user_home_dirs(alsa_t)
+
+########################################
+#
+# DEY custom rules
+#
+
+allow alsa_t var_lock_t:file { getattr lock open read write };
+
+allow alsa_t alsa_var_lib_t:lnk_file read;
+xdg_config_dirs_search(alsa_t)
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
index 9f4f11397..a34445e1f 100644
--- a/policy/modules/admin/dmesg.te
+++ b/policy/modules/admin/dmesg.te
@@ -57,3 +57,10 @@ optional_policy(`
 	seutil_sigchld_newrole(dmesg_t)
 ')

+########################################
+#
+# DEY custom rules
+#
+
+corecmd_map_exec_bin_files(dmesg_t)
+
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 1de82957b..cfdceb953 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -207,3 +207,10 @@ userdom_use_inherited_user_terminals(traceroute_t)
 # nmap searches .
 userdom_dontaudit_search_user_home_dirs(traceroute_t)
 userdom_dontaudit_search_user_home_content(traceroute_t)
+
+########################################
+#
+# DEY custom rules
+#
+
+allow ping_t bin_t:file { execute map read };
diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if
index 1b9c6ccde..aeac19008 100644
--- a/policy/modules/apps/pulseaudio.if
+++ b/policy/modules/apps/pulseaudio.if
@@ -147,6 +147,15 @@ interface(`pulseaudio_signull',`
 	allow $1 pulseaudio_t:process signull;
 ')

+interface(`pulseaudio_connectto',`
+	gen_require(`
+		type pulseaudio_t;
+	')
+
+	allow $1 pulseaudio_t:unix_stream_socket connectto;
+	allow $1 pulseaudio_t:fd use;
+')
+
 ########################################
 ## <summary>
 ##	Use file descriptors for
diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
index fd2df71a2..a59272c59 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -302,3 +302,18 @@ optional_policy(`
 optional_policy(`
 	unconfined_signull(pulseaudio_client)
 ')
+
+########################################
+#
+# DEY custom rules
+#
+
+allow pulseaudio_t self:capability net_admin;
+systemd_watch_logind_sessions_files(pulseaudio_t)
+allow pulseaudio_t user_runtime_root_t:dir { add_name create read remove_name write };
+allow pulseaudio_t user_runtime_root_t:file { create getattr lock open read unlink write };
+allow pulseaudio_t user_runtime_root_t:sock_file { create setattr };
+allow pulseaudio_t user_home_dir_t:dir create;
+dbus_write_sock_file(pulseaudio_t)
+sysadm_use_fds(pulseaudio_t)
+sysadm_connectto_socket(pulseaudio_t)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 2d7f27157..e07935514 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -199,6 +199,14 @@ interface(`corecmd_check_exec_bin_files',`
 	allow $1 bin_t:file { execute getattr };
 ')

+interface(`corecmd_map_exec_bin_files',`
+	gen_require(`
+		type bin_t;
+	')
+
+	allow $1 bin_t:file { execute map read };
+')
+
 ########################################
 ## <summary>
 ##	Read files in bin directories.
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index c0578a517..18422781d 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -2114,6 +2114,14 @@ interface(`dev_getattr_input_dev',`
 	allow $1 event_device_t:chr_file getattr;
 ')

+interface(`dev_read_input_dev',`
+	gen_require(`
+		type event_device_t;
+	')
+
+	allow $1 event_device_t:chr_file read;
+')
+
 ########################################
 ## <summary>
 ##	Set the attributes of the event devices.
@@ -2259,6 +2267,38 @@ interface(`dev_setattr_framebuffer_dev',`
 	setattr_chr_files_pattern($1, device_t, framebuf_device_t)
 ')

+interface(`dev_read_write_framebuffer_dev',`
+	gen_require(`
+		type framebuf_device_t;
+	')
+
+	allow $1 framebuf_device_t:chr_file { read write };
+')
+
+interface(`dev_use_gpiochip',`
+	gen_require(`
+		type gpiochip_device_t;
+	')
+
+	allow $1 gpiochip_device_t:chr_file { ioctl open read write };
+')
+
+interface(`dev_use_watchdog',`
+	gen_require(`
+		type watchdog_device_t;
+	')
+
+	allow $1 watchdog_device_t:chr_file { ioctl open read write };
+')
+
+interface(`dev_use_wireless',`
+	gen_require(`
+		type wireless_device_t;
+	')
+
+	allow $1 wireless_device_t:chr_file { ioctl open read write };
+')
+
 ########################################
 ## <summary>
 ##	Dot not audit attempts to set the attributes
@@ -5057,6 +5097,14 @@ interface(`dev_getattr_video_dev',`
 	getattr_chr_files_pattern($1, device_t, v4l_device_t)
 ')

+interface(`dev_handle_video_dev',`
+	gen_require(`
+		type v4l_device_t;
+	')
+
+	allow $1 v4l_device_t:chr_file { ioctl map open read write };
+')
+
 ######################################
 ## <summary>
 ##	Read and write userio device.
diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if
index 5c2871842..49416d26e 100644
--- a/policy/modules/roles/sysadm.if
+++ b/policy/modules/roles/sysadm.if
@@ -211,6 +211,14 @@ interface(`sysadm_sigchld',`
 	allow $1 sysadm_t:process sigchld;
 ')

+interface(`sysadm_transition',`
+	gen_require(`
+		type sysadm_t;
+	')
+
+	allow $1 sysadm_t:process transition;
+')
+
 ########################################
 ## <summary>
 ##	Inherit and use sysadm file descriptors
@@ -229,6 +237,22 @@ interface(`sysadm_use_fds',`
 	allow $1 sysadm_t:fd use;
 ')

+interface(`sysadm_connectto_socket',`
+	gen_require(`
+		type sysadm_t;
+	')
+
+	allow $1 sysadm_t:unix_stream_socket connectto;
+')
+
+interface(`sysadm_sendto_unix_dgram_socket',`
+	gen_require(`
+		type sysadm_t;
+	')
+
+	allow $1 sysadm_t:unix_dgram_socket sendto;
+')
+
 ########################################
 ## <summary>
 ##	Read and write sysadm user unnamed pipes.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index b00fb1550..a2f799aed 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1350,3 +1350,51 @@ ifndef(`distro_redhat',`
 		java_role(sysadm_r, sysadm_t)
 	')
 ')
+
+########################################
+#
+# DEY custom rules
+#
+
+allow sysadm_t init_exec_t:file entrypoint;
+allow sysadm_t init_t:unix_stream_socket { ioctl read write };
+allow sysadm_t self:capability audit_write;
+allow sysadm_t self:system reload;
+allow sysadm_t user_runtime_root_t:blk_file create;
+allow sysadm_t user_runtime_root_t:chr_file create;
+allow sysadm_t usr_t:file execute;
+
+allow sysadm_t device_t:chr_file { create ioctl open read write };
+dev_read_write_framebuffer_dev(sysadm_t)
+allow sysadm_t initrc_t:unix_stream_socket connectto;
+pulseaudio_connectto(sysadm_t)
+
+#!!!! This avc can be allowed using the boolean 'allow_execmem'
+allow sysadm_t self:process execmem;
+allow sysadm_t usr_t:file execute_no_trans;
+
+allow sysadm_t user_tmpfs_t:file { execmod execute };
+
+dev_use_gpiochip(sysadm_t)
+allow sysadm_t kernel_t:system module_request;
+allow sysadm_t self:can_socket { bind create getopt read setopt write };
+dev_use_watchdog(sysadm_t)
+
+networkmanager_sendto_unix_dgram_socket(sysadm_t)
+allow sysadm_t initrc_t:fd use;
+xdg_dir_watch(sysadm_t)
+
+allow sysadm_t device_t:chr_file map;
+allow sysadm_t device_t:dir watch;
+allow sysadm_t framebuf_device_t:chr_file { ioctl open };
+apache_execute_runtime_files(sysadm_t)
+dev_handle_video_dev(sysadm_t)
+
+allow sysadm_t self:bluetooth_socket create;
+allow sysadm_t self:process execstack;
+
+allow sysadm_t self:bluetooth_socket ioctl;
+
+dev_manage_dri_dev(sysadm_t)
+allow sysadm_t self:netlink_route_socket nlmsg_write;
+allow sysadm_t semanage_t:process { noatsecure rlimitinh siginh };
diff --git a/policy/modules/services/acpi.if b/policy/modules/services/acpi.if
index e6805e1d3..849e3ea15 100644
--- a/policy/modules/services/acpi.if
+++ b/policy/modules/services/acpi.if
@@ -119,6 +119,14 @@ interface(`acpi_append_log',`
 	allow $1 acpid_log_t:file append_file_perms;
 ')

+interface(`acpi_write_lock',`
+	gen_require(`
+		type acpid_lock_t;
+	')
+
+	allow $1 acpid_lock_t:file write;
+')
+
 ########################################
 ## <summary>
 ##	Connect to apmd over an unix
diff --git a/policy/modules/services/acpi.te b/policy/modules/services/acpi.te
index bd442ff8a..932b02c1f 100644
--- a/policy/modules/services/acpi.te
+++ b/policy/modules/services/acpi.te
@@ -236,3 +236,23 @@ optional_policy(`
 optional_policy(`
 	xserver_domtrans(acpid_t)
 ')
+
+########################################
+#
+# DEY custom rules
+#
+
+bluetooth_manage_config(acpid_t)
+kernel_search_debugfs(acpid_t)
+init_read_utmp(acpid_t)
+allow acpid_t self:bluetooth_socket { bind create ioctl write };
+allow acpid_t self:capability { net_admin net_raw };
+allow acpid_t self:process { getsched setpgid };
+allow acpid_t var_log_t:file { open write };
+
+dev_use_gpiochip(acpid_t)
+allow acpid_t self:bluetooth_socket listen;
+
+#!!!! This avc can be allowed using the boolean 'allow_ypbind'
+allow acpid_t self:capability net_bind_service;
+dev_use_wireless(acpid_t)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 1695af750..f5e673bd8 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -1357,6 +1357,14 @@ interface(`apache_cgi_domain',`
 	allow httpd_t $1:process signal;
 ')

+interface(`apache_execute_runtime_files',`
+	gen_require(`
+		type httpd_runtime_t;
+	')
+
+	allow $1 httpd_runtime_t:file execute;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
index e35e86312..1580a772c 100644
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -107,6 +107,16 @@ interface(`bluetooth_read_config',`
 	allow $1 bluetooth_conf_t:file read_file_perms;
 ')

+interface(`bluetooth_manage_config',`
+	gen_require(`
+		type bluetooth_conf_t, bluetooth_t;
+	')
+
+	allow $1 bluetooth_conf_t:dir search;
+	allow $1 bluetooth_conf_t:file { open read };
+	allow $1 bluetooth_t:process signal;
+')
+
 ########################################
 ## <summary>
 ##	Send and receive messages from
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
index 931021346..e6412b657 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -219,3 +219,13 @@ optional_policy(`
 optional_policy(`
 	xserver_user_x_domain_template(bluetooth_helper, bluetooth_helper_t, bluetooth_helper_tmpfs_t)
 ')
+
+########################################
+#
+# DEY custom rules
+#
+
+logging_allow_write_generic_logs(bluetooth_t)
+
+allow bluetooth_t self:alg_socket { bind create };
+allow bluetooth_t syslogd_runtime_t:sock_file write;
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index d43c4fba0..2adce5cf6 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -167,6 +167,14 @@ interface(`dbus_connect_all_session_bus',`
 	allow $1 session_bus_type:dbus acquire_svc;
 ')

+interface(`dbus_write_sock_file',`
+	gen_require(`
+		type session_dbusd_runtime_t;
+	')
+
+	allow $1 session_dbusd_runtime_t:sock_file write;
+')
+
 #######################################
 ## <summary>
 ##	Acquire service on specified
@@ -614,6 +622,14 @@ interface(`dbus_list_system_bus_runtime',`
 	allow $1 system_dbusd_runtime_t:dir list_dir_perms;
 ')

+interface(`dbus_read_system_bus_runtime_dirs',`
+	gen_require(`
+		type system_dbusd_runtime_t;
+	')
+
+	allow $1 system_dbusd_runtime_t:dir read;
+')
+
 ########################################
 ## <summary>
 ##	Watch system bus runtime named sockets.
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index ddb493c2c..75835a23f 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -317,3 +317,10 @@ optional_policy(`

 allow dbusd_unconfined { dbusd_session_bus_client dbusd_system_bus_client }:dbus send_msg;
 allow dbusd_unconfined { system_dbusd_t session_bus_type }:dbus all_dbus_perms;
+
+########################################
+#
+# DEY custom rules
+#
+
+allow system_dbusd_t syslogd_runtime_t:sock_file write;
diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te
index deadee404..de5dda83f 100644
--- a/policy/modules/services/modemmanager.te
+++ b/policy/modules/services/modemmanager.te
@@ -57,3 +57,13 @@ optional_policy(`
 optional_policy(`
 	udev_manage_runtime_files(modemmanager_t)
 ')
+
+########################################
+#
+# DEY custom rules
+#
+
+allow modemmanager_t self:process setsched;
+allow modemmanager_t syslogd_runtime_t:sock_file write;
+
+allow modemmanager_t self:capability sys_nice;
diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if
index ef738db1e..7e203a0d2 100644
--- a/policy/modules/services/networkmanager.if
+++ b/policy/modules/services/networkmanager.if
@@ -171,6 +171,14 @@ interface(`networkmanager_signal',`
 	allow $1 NetworkManager_t:process signal;
 ')

+interface(`networkmanager_sendto_unix_dgram_socket',`
+	gen_require(`
+		type NetworkManager_t;
+	')
+
+	allow $1 NetworkManager_t:unix_dgram_socket sendto;
+')
+
 ########################################
 ## <summary>
 ##	Watch networkmanager etc dirs.
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index c538bca09..dbc998296 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -383,3 +383,25 @@ init_use_script_ptys(wpa_cli_t)
 miscfiles_read_localization(wpa_cli_t)

 term_dontaudit_use_console(wpa_cli_t)
+
+########################################
+#
+# DEY custom rules
+#
+
+allow NetworkManager_t device_t:chr_file { ioctl open read write };
+libs_watch(NetworkManager_t)
+fs_read_nsfs_files(NetworkManager_t)
+systemd_watch_logind_runtime_files(NetworkManager_t)
+systemd_watch_machines(NetworkManager_t)
+systemd_watch_logind_sessions_files(NetworkManager_t)
+
+sysadm_sendto_unix_dgram_socket(NetworkManager_t)
+
+allow NetworkManager_t etc_t:dir watch;
+
+acpi_use_fds(NetworkManager_t)
+
+acpi_write_lock(NetworkManager_t)
+acpi_append_log(NetworkManager_t)
+dev_read_input_dev(NetworkManager_t)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 9b03d3767..68d80acb5 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1483,3 +1483,10 @@ optional_policy(`
 	userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
 	userdom_dontaudit_write_user_tmp_files(systemprocess)
 ')
+
+########################################
+#
+# DEY custom rules
+#
+
+sysadm_transition(init_t)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
index d1379fbe6..dc25cb26f 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -251,6 +251,14 @@ interface(`libs_manage_lib_dirs',`
 	allow $1 lib_t:dir manage_dir_perms;
 ')

+interface(`libs_watch',`
+	gen_require(`
+		type lib_t;
+	')
+
+	allow $1 lib_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	dontaudit attempts to setattr on library files
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 313112371..531fd5001 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -287,3 +287,12 @@ optional_policy(`
 optional_policy(`
 	nscd_use(sulogin_t)
 ')
+
+########################################
+#
+# DEY custom rules
+#
+
+allow local_login_t init_runtime_t:sock_file write;
+allow local_login_t initrc_t:unix_stream_socket connectto;
+allow local_login_t syslogd_runtime_t:sock_file write;
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 7233a108c..aa83f8fcb 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -1264,6 +1264,14 @@ interface(`logging_dontaudit_write_generic_logs',`
 	dontaudit $1 var_log_t:file write;
 ')

+interface(`logging_allow_write_generic_logs',`
+	gen_require(`
+		type var_log_t;
+	')
+
+	allow $1 var_log_t:file { getattr write };
+')
+
 ########################################
 ## <summary>
 ##	Read and write generic log files.
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index bdd5c9dff..93e37cc85 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -619,3 +619,14 @@ optional_policy(`
 	# log to the xconsole
 	xserver_rw_console(syslogd_t)
 ')
+
+########################################
+#
+# DEY custom rules
+#
+
+allow klogd_t bin_t:file { execute map read };
+
+allow syslogd_t bin_t:file { execute map read };
+udevadm_signull(syslogd_t)
+userdom_manage_user_runtime_root_dirs(syslogd_t)
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index b8769bc02..7f0bf56e0 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -183,3 +183,12 @@ optional_policy(`

 	xserver_getattr_log(kmod_t)
 ')
+
+########################################
+#
+# DEY custom rules
+#
+
+acpi_write_lock(kmod_t)
+acpi_append_log(kmod_t)
+dev_read_input_dev(kmod_t)
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index f55457bb0..abf2b8f41 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -229,3 +229,10 @@ optional_policy(`
 	files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
 	unconfined_domain(unconfined_mount_t)
 ')
+
+########################################
+#
+# DEY custom rules
+#
+
+userdom_append_getattr(mount_t)
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index a26f8db03..329f98c26 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -696,3 +696,11 @@ ifdef(`hide_broken_symptoms',`
 optional_policy(`
 	apt_use_fds(setfiles_t)
 ')
+
+########################################
+#
+# DEY custom rules
+#
+
+allow semanage_t load_policy_t:process { noatsecure rlimitinh siginh };
+allow semanage_t setfiles_t:process { noatsecure rlimitinh siginh };
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index b6fd3f907..9b8503274 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -423,3 +423,11 @@ optional_policy(`
 	xen_append_log(ifconfig_t)
 	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
 ')
+
+########################################
+#
+# DEY custom rules
+#
+
+allow ifconfig_t bin_t:file { execute map read };
+userdom_append_getattr(ifconfig_t);
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 320619289..1277ebaad 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -284,6 +284,14 @@ interface(`systemd_read_logind_runtime_files',`
 	allow $1 systemd_logind_runtime_t:file read_file_perms;
 ')

+interface(`systemd_watch_logind_runtime_files',`
+	gen_require(`
+		type systemd_logind_runtime_t;
+	')
+
+	allow $1 systemd_logind_runtime_t:dir watch;
+')
+
 ######################################
 ## <summary>
 ##   Manage systemd-logind runtime pipes.
@@ -363,6 +371,14 @@ interface(`systemd_read_logind_sessions_files',`
 	read_files_pattern($1, systemd_sessions_runtime_t, systemd_sessions_runtime_t)
 ')

+interface(`systemd_watch_logind_sessions_files',`
+	gen_require(`
+		type systemd_sessions_runtime_t;
+	')
+
+	allow $1 systemd_sessions_runtime_t:dir watch;
+')
+
 ######################################
 ## <summary>
 ##      Write inherited logind sessions pipes.
@@ -538,6 +554,14 @@ interface(`systemd_read_machines',`
 	allow $1 systemd_machined_runtime_t:file read_file_perms;
 ')

+interface(`systemd_watch_machines',`
+	gen_require(`
+		type systemd_machined_runtime_t;
+	')
+
+	allow $1 systemd_machined_runtime_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##     Allow connecting to /run/systemd/userdb/io.systemd.Machine socket
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 7b2d359b7..a3d7d5a41 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1597,3 +1597,25 @@ userdom_relabelto_user_runtime_dirs(systemd_user_runtime_dir_t)
 optional_policy(`
     dbus_system_bus_client(systemd_user_runtime_dir_t)
 ')
+
+########################################
+#
+# DEY custom rules
+#
+
+allow systemd_backlight_t sysctl_kernel_t:dir search;
+allow systemd_backlight_t sysctl_kernel_t:file { getattr ioctl open read };
+allow systemd_backlight_t sysctl_t:dir search;
+
+allow systemd_generator_t cgroup_t:filesystem getattr;
+allow systemd_generator_t removable_device_t:blk_file { getattr ioctl open read };
+allow systemd_generator_t self:capability dac_override;
+allow systemd_generator_t self:process setfscreate;
+allow systemd_generator_t tmpfs_t:filesystem getattr;
+
+allow systemd_logind_t initrc_runtime_t:file watch;
+allow systemd_logind_t initrc_t:unix_stream_socket connectto;
+
+dbus_read_system_bus_runtime_dirs(systemd_resolved_t)
+allow systemd_resolved_t systemd_resolved_runtime_t:lnk_file { create rename };
+dbus_read_system_bus_runtime_named_sockets(systemd_resolved_t)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 538f28514..ab21990b1 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -600,6 +600,14 @@ interface(`udevadm_exec',`
 	udev_exec_udevadm($1)
 ')

+interface(`udevadm_signull',`
+	gen_require(`
+		type udevadm_t;
+	')
+
+	allow $1 udevadm_t:process signull;
+')
+
 ########################################
 ## <summary>
 ##	Execute udevadm in the caller domain.
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index daf64482f..1c8200e84 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -392,3 +392,10 @@ kernel_read_system_state(udevadm_t)
 seutil_read_file_contexts(udevadm_t)

 fs_getattr_xattr_fs(udevadm_t)
+
+########################################
+#
+# DEY custom rules
+#
+
+allow udev_t init_t:system start;
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 55081d87b..8510fdabb 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -4444,6 +4444,14 @@ interface(`userdom_write_user_tmp_files',`
 	allow $1 user_tmp_t:file write_file_perms;
 ')

+interface(`userdom_append_getattr',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	allow $1 user_tmp_t:file { append getattr };
+')
+
 ########################################
 ## <summary>
 ##      Do not audit attempts to write users
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 2f8e1e4c7..e66fb3645 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -130,3 +130,10 @@ files_poly_member(user_runtime_t)
 files_poly_parent(user_runtime_t)
 ubac_constrained(user_runtime_t)
 userdom_user_runtime_content(user_runtime_t)
+
+########################################
+#
+# DEY custom rules
+#
+
+dev_associate(user_tmpfs_t)
diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
index 823042414..a3474727d 100644
--- a/policy/modules/system/xdg.if
+++ b/policy/modules/system/xdg.if
@@ -251,6 +251,14 @@ interface(`xdg_create_cache_dirs',`
 	allow $1 xdg_cache_t:dir create_dir_perms;
 ')

+interface(`xdg_dir_watch',`
+	gen_require(`
+		type xdg_cache_t;
+	')
+
+	allow $1 xdg_cache_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	Manage the xdg cache home files
@@ -537,6 +545,14 @@ interface(`xdg_create_config_dirs',`
 	allow $1 xdg_config_t:dir create_dir_perms;
 ')

+interface(`xdg_config_dirs_search',`
+	gen_require(`
+		type xdg_config_t;
+	')
+
+	allow $1 xdg_config_t:dir search;
+')
+
 ########################################
 ## <summary>
 ##	Manage the xdg config home files