systemd-homed: various fixups

policy/modules/system/authlogin.te

@@ -476,6 +476,7 @@ sysnet_dns_name_resolve(nsswitch_domain)
 
 ifdef(`init_systemd', `
 	systemd_stream_connect_userdb(nsswitch_domain)
+	systemd_stream_connect_homed(nsswitch_domain)
 ')
 
 tunable_policy(`authlogin_nsswitch_use_ldap',`

policy/modules/system/locallogin.te

@@ -154,6 +154,8 @@ ifdef(`init_systemd',`
 	systemd_dbus_chat_logind(local_login_t)
 	systemd_use_logind_fds(local_login_t)
 	systemd_manage_logind_runtime_pipes(local_login_t)
+	systemd_dbus_chat_homed(local_login_t)
+	systemd_stream_connect_homed(local_login_t)
 ')
 
 ifdef(`distro_debian',`

policy/modules/system/lvm.if

@@ -210,6 +210,25 @@ interface(`lvm_manage_runtime_files',`
 	manage_files_pattern($1, lvm_runtime_t, lvm_runtime_t)
 ')
 
+########################################
+## <summary>
+##	Manage LVM runtime dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`lvm_manage_runtime_dirs',`
+	gen_require(`
+		type lvm_runtime_t;
+	')
+
+	manage_dirs_pattern($1, lvm_runtime_t, lvm_runtime_t)
+')
+
 ######################################
 ## <summary>
 ##	All of the rules required to

policy/modules/system/systemd.fc

@@ -61,6 +61,11 @@ HOME_DIR/\.config/containers/systemd(/.*)?		gen_context(system_u:object_r:system
 HOME_DIR/\.config/systemd(/.*)?		gen_context(system_u:object_r:systemd_conf_home_t,s0)
 HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_data_home_t,s0)
 
+# homed files
+HOME_DIR/\.identity	--	gen_context(system_u:object_r:systemd_homed_record_t,s0)
+HOME_DIR/\.identity-blob(/.*)?	gen_context(system_u:object_r:systemd_homed_record_t,s0)
+HOME_ROOT/(.+)\.home	--	gen_context(system_u:object_r:systemd_homed_storage_t,s0)
+
 /usr/lib/systemd/user(/.*)?		gen_context(system_u:object_r:systemd_user_unit_t,s0)
 
 /usr/lib/systemd/system/[^/]*halt.*	--	gen_context(system_u:object_r:power_unit_t,s0)
@@ -106,6 +111,7 @@ HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_data
 /run/systemd/ask-password(/.*)?	gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
 /run/systemd/ask-password-block(/.*)?	gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
 /run/systemd/home(/.*)?         gen_context(system_u:object_r:systemd_homed_runtime_t,s0)
+/run/systemd/user-home-mount	-d	gen_context(system_u:object_r:systemd_homed_runtime_work_dir_t,s0)
 /run/systemd/network(/.*)?  gen_context(system_u:object_r:systemd_networkd_runtime_t,s0)
 /run/systemd/notify		-s	gen_context(system_u:object_r:systemd_runtime_notify_t,s0)
 /run/systemd/resolve(/.*)?  gen_context(system_u:object_r:systemd_resolved_runtime_t,s0)

policy/modules/system/systemd.if

@@ -1136,6 +1136,25 @@ interface(`systemd_dbus_chat_homed',`
 	allow systemd_homed_t $1:dbus send_msg;
 ')
 
+########################################
+## <summary>
+##   Connect to /run/systemd/userdb/io.systemd.Home to
+##   query user account information.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_stream_connect_homed',`
+	gen_require(`
+		type systemd_homed_t;
+	')
+
+	allow $1 systemd_homed_t:unix_stream_socket connectto;
+')
+
 ######################################
 ## <summary>
 ##   Read and write systemd-homework semaphores.

policy/modules/system/systemd.te

@@ -126,9 +126,16 @@ domain_type(systemd_homework_t)
 domain_entry_file(systemd_homework_t, systemd_homework_exec_t)
 role system_r types systemd_homework_t;
 
+type systemd_homed_record_t;
+files_auth_file(systemd_homed_record_t)
+
 type systemd_homed_runtime_t;
 files_runtime_file(systemd_homed_runtime_t)
 
+type systemd_homed_runtime_work_dir_t;
+files_runtime_file(systemd_homed_runtime_work_dir_t)
+files_mountpoint(systemd_homed_runtime_work_dir_t)
+
 type systemd_homed_storage_t;
 files_type(systemd_homed_storage_t)
 
@@ -675,6 +682,9 @@ allow systemd_homed_t systemd_homed_var_lib_t:dir manage_dir_perms;
 allow systemd_homed_t systemd_homed_var_lib_t:file manage_file_perms;
 init_var_lib_filetrans(systemd_homed_t, systemd_homed_var_lib_t, dir)
 
+# read /etc/machine-id
+files_read_etc_runtime(systemd_homed_t)
+
 # Entries such as /sys/devices/virtual/block/loop1/uevent:
 dev_read_sysfs(systemd_homed_t)
 
@@ -725,14 +735,21 @@ allow systemd_homework_t systemd_homed_runtime_t:dir manage_dir_perms;
 files_runtime_filetrans(systemd_homework_t, systemd_homed_runtime_t, file)
 init_runtime_filetrans(systemd_homework_t, systemd_homed_runtime_t, dir)
 
+# read /etc/machine-id
+files_read_etc_runtime(systemd_homework_t)
+
 # mount on /run/systemd/user-home-mount
-allow systemd_homework_t systemd_homed_runtime_t:dir mounton;
+allow systemd_homework_t systemd_homed_runtime_work_dir_t:dir mounton;
 
 allow systemd_homework_t systemd_homed_storage_t:file manage_file_perms;
 files_home_filetrans(systemd_homework_t, systemd_homed_storage_t, file)
 
 allow systemd_homework_t systemd_homed_tmpfs_t:file rw_inherited_file_perms;
 
+# setup luks backed home directories in /run/cryptsetup
+lvm_manage_runtime_files(systemd_homework_t)
+lvm_manage_runtime_dirs(systemd_homework_t)
+
 dev_rw_loop_control(systemd_homework_t)
 dev_read_rand(systemd_homework_t)
 dev_read_urand(systemd_homework_t)
@@ -769,6 +786,10 @@ systemd_log_parse_environment(systemd_homework_t)
 
 udev_read_runtime_files(systemd_homework_t)
 
+read_files_pattern(systemd_homework_t, systemd_homed_runtime_work_dir_t, systemd_homed_record_t)
+create_files_pattern(systemd_homework_t, systemd_homed_runtime_work_dir_t, systemd_homed_record_t)
+delete_files_pattern(systemd_homework_t, systemd_homed_runtime_work_dir_t, systemd_homed_record_t)
+
 #######################################
 #
 # Hostnamed policy