new file mode 100644
@@ -0,0 +1,109 @@
+From 799cea7a4f7d604c065897346ae3a2e59df678cd Mon Sep 17 00:00:00 2001
+From: Clayton Casciato <ccasciato@21sw.us>
+Date: Fri, 14 Mar 2025 09:04:49 -0600
+Subject: [PATCH] files, init: filetrans /run/machine-id etc_runtime_t
+
+type=PROCTITLE proctitle=/usr/lib/systemd/systemd-logind
+
+type=SYSCALL arch=armeb syscall=openat per=PER_LINUX success=yes exit=21
+a0=AT_FDCWD a1=0xb6eb6c2c a2=O_RDONLY|O_NOCTTY|O_NOFOLLOW|O_CLOEXEC
+a3=0x0 items=0 ppid=1 pid=435 auid=unset uid=root gid=root euid=root
+suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset
+comm=systemd-logind exe=/usr/lib/systemd/systemd-logind
+subj=system_u:system_r:systemd_logind_t:s0 key=(null)
+
+type=AVC avc: denied { open } for pid=435 comm=systemd-logind
+path=/etc/machine-id dev="tmpfs" ino=13
+scontext=system_u:system_r:systemd_logind_t:s0
+tcontext=system_u:object_r:init_runtime_t:s0 tclass=file
+
+type=AVC avc: denied { read } for pid=435 comm=systemd-logind
+name=machine-id dev="tmpfs" ino=13
+scontext=system_u:system_r:systemd_logind_t:s0
+tcontext=system_u:object_r:init_runtime_t:s0 tclass=file
+
+--
+
+https://www.spinics.net/lists/systemd-devel/msg09631.html
+Reproduction and suggestion to use dedicated type (TODO)
+
+--
+
+Fedora:
+
+$ matchpathcon /run/machine-id
+/run/machine-id system_u:object_r:machineid_t:s0
+
+https://github.com/fedora-selinux/selinux-policy/blob/v41.33/policy/modules/system/init.fc#L67
+
+$ sesearch --type_transition --class file --source init_t
+--target var_run_t | grep machine
+type_transition init_t var_run_t:file machineid_t machine-id;
+
+https://github.com/fedora-selinux/selinux-policy/blob/v41.33/policy/modules/system/init.te#L241
+
+Signed-off-by: Clayton Casciato <ccasciato@21sw.us>
+
+Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/commit/e053fced8c911bc390a81ca5ee7f3baccecb70e1]
+
+Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
+---
+ policy/modules/kernel/files.fc | 1 +
+ policy/modules/kernel/files.if | 19 +++++++++++++++++++
+ policy/modules/system/init.te | 1 +
+ 3 files changed, 21 insertions(+)
+
+diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
+index c5012e6b4..3cdfd2f80 100644
+--- a/policy/modules/kernel/files.fc
++++ b/policy/modules/kernel/files.fc
+@@ -154,6 +154,7 @@ HOME_ROOT/lost\+found/.* <<none>>
+ /run -l gen_context(system_u:object_r:var_run_t,s0)
+ /run/shm -l gen_context(system_u:object_r:var_run_t,s0)
+ /run/.* <<none>>
++/run/machine-id -- gen_context(system_u:object_r:etc_runtime_t,s0)
+
+ #
+ # /selinux
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index 00146fc23..e0089254e 100644
+--- a/policy/modules/kernel/files.if
++++ b/policy/modules/kernel/files.if
+@@ -3776,6 +3776,25 @@ interface(`files_dontaudit_setattr_etc_runtime_files',`
+ dontaudit $1 etc_runtime_t:file setattr;
+ ')
+
++########################################
++## <summary>
++## Create a machine-id file in
++## the runtime directory
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_runtime_filetrans_machine_id',`
++ gen_require(`
++ type etc_runtime_t;
++ ')
++
++ files_runtime_filetrans($1, etc_runtime_t, file, "machine-id")
++')
++
+ ########################################
+ ## <summary>
+ ## Read files in /etc that are dynamically
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 8af34aa7e..026f77c16 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -178,6 +178,7 @@ allow init_t init_linkable_keyring_type:key link;
+ # For /var/run/shutdown.pid.
+ allow init_t init_runtime_t:file manage_file_perms;
+ files_runtime_filetrans(init_t, init_runtime_t, file)
++files_runtime_filetrans_machine_id(init_t)
+
+ # for /run/initctl
+ allow init_t init_runtime_t:fifo_file manage_fifo_file_perms;
@@ -77,6 +77,7 @@ SRC_URI += " \
file://0059-policy-modules-system-unconfined-fix-oddjob-security.patch \
file://0060-policy-modules-services-firewalld-fix-lib_t-python_c.patch \
file://0061-policy-modules-services-firewalld-fix-firewalld_t-fi.patch \
+ file://0062-policy-modules-multiple-filetrans-run_machine_id-etc.patch \
"
S = "${WORKDIR}/refpolicy"
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com> --- ...ultiple-filetrans-run_machine_id-etc.patch | 109 ++++++++++++++++++ .../refpolicy/refpolicy_common.inc | 1 + 2 files changed, 110 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy/0062-policy-modules-multiple-filetrans-run_machine_id-etc.patch