From 780a1f25fd17d3524f9966d08f9870e74d878b30 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Fri, 6 Oct 2023 11:10:48 +0200
Subject: [PATCH] Allow kernel_t to manage and relabel all files

Extend the abitlity to manage all files also to character & block
device files and also allow relabeling any file.

This is required for early boot overlay mounts to fully work, but may be
needed for other legitimate oprations as well.

See also: https://github.com/ostreedev/ostree/pull/3062

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>

Resolves: rhbz#2182033
---
 policy/modules/kernel/files.if  | 38 +++++++++++++++++++++++++++++++++
 policy/modules/kernel/kernel.te |  3 +++
 2 files changed, 41 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 008b6ec719..d8bb82e7aa 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1839,6 +1839,44 @@ interface(`files_manage_all_files',`
 	')
 ')
 
+########################################
+## <summary>
+##	Manage all block device files on the filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_all_blk_files',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	manage_blk_files_pattern($1, file_type, file_type)
+')
+
+########################################
+## <summary>
+##	Manage all character device files on the filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_all_chr_files',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	manage_chr_files_pattern($1, file_type, file_type)
+')
+
 ########################################
 ## <summary>
 ##	Grant execute access to all files on the filesystem,
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index bc1a41e4e3..6ff006a4b9 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -381,6 +381,9 @@ domain_rw_all_sockets(kernel_t)
 domain_obj_id_change_exemption(kernel_t)
 
 files_manage_all_files(kernel_t)
+files_manage_all_blk_files(kernel_t)
+files_manage_all_chr_files(kernel_t)
+files_relabel_all_files(kernel_t)
 # The 'execute' permission on lower inodes is checked against the mounter
 # cred by overlayfs, so we need to grant it to allow overlay mounts created
 # during early boot to work.