Apply generator template to selinux-autorelabel generator

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2387134

Author: zpytela

policy/modules/system/selinuxutil.fc

@@ -29,8 +29,6 @@
 
 /usr/lib/selinux(/.*)?			gen_context(system_u:object_r:policy_src_t,s0)
 
-/usr/lib/systemd/system-generators/selinux-autorelabel-generator\.sh	--	gen_context(system_u:object_r:selinux_autorelabel_generator_exec_t,s0)
-
 /usr/libexec/selinux/selinux-autorelabel	--	gen_context(system_u:object_r:semanage_exec_t,s0)
 
 /usr/bin/load_policy		--	gen_context(system_u:object_r:load_policy_exec_t,s0)
@@ -54,10 +52,9 @@
 /var/lib/sepolgen(/.*)?			gen_context(system_u:object_r:selinux_config_t,s0)
 
 #
-# /var/run
+# /run
 #
 /run/restorecond\.pid	--	gen_context(system_u:object_r:restorecond_var_run_t,s0)
-/run/systemd/generator/selinux-autorelabel\.service\.d(/.*?)	gen_context(system_u:object_r:selinux_autorelabel_generator_unit_file_t,s0)
 
 /etc/share/selinux/targeted(/.*)?	gen_context(system_u:object_r:semanage_store_t,s0)
 /etc/share/selinux/mls(/.*)?		gen_context(system_u:object_r:semanage_store_t,s0)

policy/modules/system/selinuxutil.te

@@ -142,12 +142,6 @@ domain_type(setfiles_mac_t)
 domain_entry_file(setfiles_mac_t, setfiles_exec_t)
 domain_obj_id_change_exemption(setfiles_mac_t)
 
-type selinux_autorelabel_generator_t;
-type selinux_autorelabel_generator_exec_t;
-init_system_domain(selinux_autorelabel_generator_t, selinux_autorelabel_generator_exec_t)
-type selinux_autorelabel_generator_unit_file_t;
-files_type(selinux_autorelabel_generator_unit_file_t)
-
 ########################################
 #
 # Checkpolicy local policy
@@ -818,45 +812,3 @@ files_delete_boot_flag(policy_manager_domain)
 optional_policy(`
 	policykit_dbus_chat(policy_manager_domain)
 ')
-
-########################################
-#
-# selinux-relabel-generator local policy
-#
-
-allow selinux_autorelabel_generator_t selinux_autorelabel_generator_unit_file_t:dir manage_dir_perms;
-allow selinux_autorelabel_generator_t selinux_autorelabel_generator_unit_file_t:file manage_file_perms;
-allow selinux_autorelabel_generator_t selinux_autorelabel_generator_unit_file_t:lnk_file manage_lnk_file_perms;
-
-# src:elif grep -sqE "\bautorelabel\b" /proc/cmdline; then
-kernel_read_proc_files(selinux_autorelabel_generator_t)
-
-# src:ln, selinuxenabled, cat
-corecmd_exec_bin(selinux_autorelabel_generator_t)
-
-# src:mkdir -p "$earlydir/selinux-autorelabel.service.d"
-init_filetrans_named_content(selinux_autorelabel_generator_t)
-
-optional_policy(`
-	# src:#!/bin/bash
-	auth_dontaudit_read_passwd_file(selinux_autorelabel_generator_t)
-')
-
-optional_policy(`
-	# src:source /etc/selinux/config
-	seutil_read_config(selinux_autorelabel_generator_t)
-')
-
-optional_policy(`
-	systemd_unit_file(selinux_autorelabel_generator_unit_file_t)
-
-	# src:mkdir -p "$earlydir/selinux-autorelabel.service.d"
-	systemd_unit_file_filetrans(selinux_autorelabel_generator_t, selinux_autorelabel_generator_unit_file_t, dir)
-
-	# src:ln -sf "$unitdir/selinux-autorelabel.target" "$earlydir/default.target"
-	systemd_manage_unit_symlinks(selinux_autorelabel_generator_t)
-	systemd_getattr_generic_unit_files(selinux_autorelabel_generator_t)
-
-	# src:cat > "$earlydir/selinux-autorelabel.service.d/tty.conf" <<EOF
-	manage_files_pattern(selinux_autorelabel_generator_t, selinux_autorelabel_generator_unit_file_t, selinux_autorelabel_generator_unit_file_t)
-')

policy/modules/system/systemd.fc

@@ -84,6 +84,7 @@ HOME_DIR/\.config/systemd/user(/.*)?		gen_context(system_u:object_r:systemd_unit
 /usr/lib/systemd/system-generators/nfsroot-generator	--	gen_context(system_u:object_r:systemd_nfs_generator_exec_t,s0)
 /usr/lib/systemd/system-generators/nfs-server-generator	--	gen_context(system_u:object_r:systemd_nfs_generator_exec_t,s0)
 /usr/lib/systemd/system-generators/rpc-pipefs-generator	--	gen_context(system_u:object_r:systemd_nfs_generator_exec_t,s0)
+/usr/lib/systemd/system-generators/selinux-autorelabel-generator\.sh	--	gen_context(system_u:object_r:systemd_selinux_autorelabel_generator_exec_t,s0)
 /usr/lib/systemd/system-generators/systemd-bless-boot-generator	--	gen_context(system_u:object_r:systemd_bless_boot_generator_exec_t,s0)
 /usr/lib/systemd/system-generators/systemd-cryptsetup-generator	--	gen_context(system_u:object_r:systemd_cryptsetup_generator_exec_t,s0)
 /usr/lib/systemd/system-generators/systemd-debug-generator	--	gen_context(system_u:object_r:systemd_debug_generator_exec_t,s0)

policy/modules/system/systemd.te

@@ -222,6 +222,8 @@ systemd_generator_template(systemd_import_generator)
 systemd_generator_template(systemd_nfs_generator)
 # rc-local-generator
 systemd_generator_template(systemd_rc_local_generator)
+# selinux_autorelabel generator
+systemd_generator_template(systemd_selinux_autorelabel_generator)
 # ssh-generator
 systemd_generator_template(systemd_ssh_generator)
 # sysv-generator
@@ -1478,6 +1480,11 @@ permissive systemd_nfs_generator_t;
 ### systemd rc_local generator
 init_exec_script_files(systemd_rc_local_generator_t)
 
+### selinux_autorelabel generator
+optional_policy(`
+	seutil_read_config(systemd_selinux_autorelabel_generator_t)
+')
+
 ### systemd import generator
 permissive systemd_import_generator_t;