selinux-policy/backport-Allow-systemd-coredump-mounton-usr.patch

From 4a49782a31552a8ef0894f0c8d52a2328f269b1c Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 11 Apr 2023 13:22:29 +0200
Subject: [PATCH] Allow systemd-coredump mounton /usr

The files_mounton_usr() interface was added.

Addresses the following AVC denial:
type=AVC msg=audit(1680965603.852:5360): avc:  denied  { mounton } for  pid=2016312 comm="(sd-parse-elf)" path="/" dev="sda4" ino=2 scontext=system_u:system_r:systemd_coredump_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=1

Resolves: rhbz#2185385
---
 policy/modules/kernel/files.if   | 18 ++++++++++++++++++
 policy/modules/system/systemd.te |  1 +
 2 files changed, 19 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 1a57076567..6226fca96c 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -3699,6 +3699,24 @@ interface(`files_mounton_etc',`
 	allow $1 etc_t:dir mounton;
 ')
 
+########################################
+## <summary>
+##	Mounton directories on the /usr filesystem
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_mounton_usr',`
+	gen_require(`
+		type usr_t;
+	')
+
+	allow $1 usr_t:dir mounton;
+')
+
 ########################################
 ## <summary>
 ##	Search the contents of /etc directories.
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 57c72d8347..60dbc205ef 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1144,6 +1144,7 @@ files_read_non_security_files(systemd_coredump_t)
 files_map_non_security_files(systemd_coredump_t)
 
 files_mounton_rootfs(systemd_coredump_t)
+files_mounton_usr(systemd_coredump_t)
 
 fs_getattr_nsfs_files(systemd_coredump_t)