Draft: Update systemd-generators

Confine all systemd generators and setup a label for a generic
generator.

policy/modules/system/init.fc

@@ -56,7 +56,7 @@ ifdef(`distro_gentoo', `
 
 /usr/lib/systemd/[^/]*		--	gen_context(system_u:object_r:init_exec_t,s0)
 /usr/lib/systemd/fedora[^/]* 	--	gen_context(system_u:object_r:initrc_exec_t,s0)
-/usr/lib/systemd/system-generators/[^/]*	--	gen_context(system_u:object_r:init_exec_t,s0)
+#/usr/lib/systemd/system-generators/[^/]*	--	gen_context(system_u:object_r:init_exec_t,s0)
 
 /usr/libexec/dcc/start-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)

policy/modules/system/systemd.fc

@@ -68,10 +68,17 @@ HOME_DIR/\.config/systemd/user(/.*)?		gen_context(system_u:object_r:systemd_unit
 /usr/lib/systemd/systemd-coredump	--	gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
 /usr/lib/systemd/systemd-modules-load	--	gen_context(system_u:object_r:systemd_modules_load_exec_t,s0)
 /usr/lib/systemd/systemd-network-generator	--	gen_context(system_u:object_r:systemd_network_generator_exec_t,s0)
+
+/usr/lib/systemd/system-generators/systemd-bless-boot-generator	--	gen_context(system_u:object_r:systemd_bless_boot_generator_exec_t,s0)
+/usr/lib/systemd/system-generators/systemd-cryptsetup-generator	--	gen_context(system_u:object_r:systemd_cryptsetup_generator_exec_t,s0)
+/usr/lib/systemd/system-generators/systemd-debug-generator	--	gen_context(system_u:object_r:systemd_debug_generator_exec_t,s0)
 /usr/lib/systemd/system-generators/systemd-fstab-generator	--	gen_context(system_u:object_r:systemd_fstab_generator_exec_t,s0)
+/usr/lib/systemd/system-generators/systemd-getty-generator	--	gen_context(system_u:object_r:systemd_getty_generator_exec_t,s0)
 /usr/lib/systemd/system-generators/systemd-gpt-auto-generator	--	gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0)
 /usr/lib/systemd/system-generators/systemd-rc-local-generator	--	gen_context(system_u:object_r:systemd_rc_local_generator_exec_t,s0)
 /usr/lib/systemd/system-generators/systemd-sysv-generator	--	gen_context(system_u:object_r:systemd_sysv_generator_exec_t,s0)
+/usr/lib/systemd/system-generators/zram-generator	--	gen_context(system_u:object_r:systemd_zram_generator_exec_t,s0)
+/usr/lib/systemd/system-generators/.+	--	gen_context(system_u:object_r:systemd_generic_generator_exec_t,s0)
 /usr/lib/systemd/systemd-resolve(d|-host)			gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
 /usr/lib/systemd/systemd-importd		--	gen_context(system_u:object_r:systemd_importd_exec_t,s0)
 /usr/lib/systemd/systemd-journal-upload		--	gen_context(system_u:object_r:systemd_journal_upload_exec_t,s0)

policy/modules/system/systemd.if

@@ -60,6 +60,40 @@ template(`systemd_generator_template',`
 	systemd_create_unit_file_lnk($1_t)
 ')
 
+######################################
+## <summary>
+##  Creates types and rules for 
+##  systemd generators - new version
+## </summary>
+## <param name="prefix">
+##  <summary>
+##  Prefix for the domain.
+##  </summary>
+## </param>
+#
+template(`systemd_generator_template_new',`
+	gen_require(`
+		attribute systemd_generator2;
+	')
+
+	type $1_t, systemd_generator2;
+	type $1_exec_t;
+	init_daemon_domain($1_t, $1_exec_t)
+	init_nnp_daemon_domain($1_t)
+
+	#kernel_read_system_state($1_t)
+
+	#dev_write_kmsg($1_t)
+
+	#auth_use_nsswitch($1_t)
+	#selinux_get_enforce_mode($1_t)
+
+	#systemd_manage_unit_dirs($1_t)
+	#systemd_create_unit_file_dirs($1_t)
+	#systemd_create_unit_file_lnk($1_t)
+	permissive $1_t;
+')
+
 ######################################
 ## <summary>
 ##      Create a domain for processes which are started 

policy/modules/system/systemd.te

@@ -24,6 +24,7 @@ gen_tunable(systemd_socket_proxyd_connect_any, false)
 attribute systemd_unit_file_type;
 attribute systemd_domain;
 attribute systemd_generator;
+attribute systemd_generator2;
 attribute systemctl_domain;
 attribute systemd_mount_directory;
 attribute systemd_private_tmp_type;
@@ -193,6 +194,18 @@ systemd_domain_template(systemd_network_generator)
 type systemd_gpt_generator_unit_file_t;
 systemd_unit_file(systemd_gpt_generator_unit_file_t)
 
+# domain for bless-boot-generator
+systemd_generator_template_new(systemd_bless_boot_generator)
+
+# domain for cryptsetup-generator
+systemd_generator_template_new(systemd_cryptsetup_generator)
+
+# domain for debug-generator
+systemd_generator_template_new(systemd_debug_generator)
+
+# domain for getty-generator
+systemd_generator_template_new(systemd_getty_generator)
+
 #domain for fstab-generator
 systemd_generator_template(systemd_fstab_generator)
 
@@ -202,6 +215,12 @@ systemd_generator_template(systemd_rc_local_generator)
 #domain for sysv-generator
 systemd_generator_template(systemd_sysv_generator)
 
+# domain for zram-generator
+systemd_generator_template_new(systemd_zram_generator)
+
+# domain for a generic generator
+systemd_generator_template_new(systemd_generic_generator)
+
 #domain for systemd-machined
 systemd_domain_template(systemd_machined)