Label /var/cache/systemd/home with systemd_homed_cache_t

Label /var/cache/systemd/home with systemd_homed_cache_t and allow
systemd-homed and systemd-homework read files in there.
Together with that, label /var/cache/systemd with systemd_cache_t.

Resolves: rhbz#2036108

policy/modules/system/systemd-homed.fc

@@ -12,6 +12,8 @@
 /usr/lib/systemd/system/systemd-homed-activate\.service   --  gen_context(system_u:object_r:systemd_homed_unit_file_t,s0)
 /usr/lib/systemd/system/systemd-homed\.service            --  gen_context(system_u:object_r:systemd_homed_unit_file_t,s0)
 
+/var/cache/systemd/home(//.*)?		gen_context(system_u:object_r:systemd_homed_cache_t,s0)
+
 /var/lib/systemd/home/(.+)\.identity                      --  gen_context(system_u:object_r:systemd_homed_record_t,s0)
 /var/lib/systemd/home/local\.private                      --  gen_context(system_u:object_r:systemd_homed_record_t,s0)
 /var/lib/systemd/home/(.+)\.public                        --  gen_context(system_u:object_r:systemd_homed_record_t,s0)

policy/modules/system/systemd-homed.te

@@ -15,6 +15,9 @@ domain_type(systemd_homework_t)
 domain_entry_file(systemd_homework_t, systemd_homework_exec_t)
 role system_r types systemd_homework_t;
 
+type systemd_homed_cache_t;
+files_type(systemd_homed_cache_t)
+
 type systemd_homed_crypto_luks_t;
 userdom_user_home_content(systemd_homed_crypto_luks_t)
 
@@ -71,6 +74,10 @@ files_manage_isid_type_files(systemd_homed_t)
 # /dev/shm
 fs_getattr_tmpfs(systemd_homed_t)
 
+# /var/cache/systemd/home
+list_dirs_pattern(systemd_homed_t, systemd_homed_cache_t, systemd_homed_cache_t)
+read_files_pattern(systemd_homed_t, systemd_homed_cache_t, systemd_homed_cache_t)
+
 # /var/lib/systemd/home
 manage_files_pattern(systemd_homed_t, systemd_homed_library_dir_t, systemd_homed_record_t)
 init_var_lib_filetrans(systemd_homed_t, systemd_homed_library_dir_t, dir, "home")
@@ -131,7 +138,8 @@ optional_policy(`
 ')
 
 optional_policy(`
-    systemd_manage_userdbd_runtime_sock_files(systemd_homed_t)
+	systemd_manage_userdbd_runtime_sock_files(systemd_homed_t)
+	systemd_search_cache_dirs(systemd_homed_t)
 ')
 
 optional_policy(`
@@ -174,6 +182,10 @@ files_manage_isid_type_dirs(systemd_homework_t)
 files_manage_isid_type_files(systemd_homework_t)
 files_mounton_isid(systemd_homework_t)
 
+# /var/cache/systemd/home
+list_dirs_pattern(systemd_homework_t, systemd_homed_cache_t, systemd_homed_cache_t)
+read_files_pattern(systemd_homework_t, systemd_homed_cache_t, systemd_homed_cache_t)
+
 # /run/systemd/home/notify
 write_sock_files_pattern(systemd_homework_t, systemd_homed_runtime_dir_t, systemd_homed_runtime_socket_t)
 
@@ -241,6 +253,10 @@ optional_policy(`
     miscfiles_read_all_certs(systemd_homework_t)
 ')
 
+optional_policy(`
+	systemd_search_cache_dirs(systemd_homework_t)
+')
+
 optional_policy(`
     udev_read_pid_files(systemd_homework_t)
     udev_search_pids(systemd_homework_t)

policy/modules/system/systemd.fc

@@ -97,6 +97,8 @@ HOME_DIR/\.config/systemd/user(/.*)?		gen_context(system_u:object_r:systemd_unit
 /usr/lib/systemd/systemd-journal-upload		--	gen_context(system_u:object_r:systemd_journal_upload_exec_t,s0)
 /usr/lib/systemd/systemd-sleep		--	gen_context(system_u:object_r:systemd_sleep_exec_t,s0)
 
+/var/cache/systemd(//.*)?		gen_context(system_u:object_r:systemd_cache_t,s0)
+
 /var/lib/machines(/.*)?			gen_context(system_u:object_r:systemd_machined_var_lib_t,s0)
 /var/lib/systemd/coredump(/.*)?		gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
 /var/lib/systemd/network(/.*)?         gen_context(system_u:object_r:systemd_networkd_var_lib_t,s0)

policy/modules/system/systemd.if

@@ -218,6 +218,25 @@ interface(`systemd_unit_file',`
 	files_type($1)
 ')
 
+######################################
+## <summary>
+##      Allow domain to search systemd cache dirs.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_search_cache_dirs',`
+        gen_require(`
+                type systemd_cache_t;
+        ')
+
+	files_search_var($1)
+	allow $1 systemd_cache_t:dir search_dir_perms;
+')
+
 ######################################
 ## <summary>
 ##      Allow domain to search systemd unit dirs.
@@ -232,7 +251,7 @@ interface(`systemd_search_unit_dirs',`
         gen_require(`
                 attribute systemd_unit_file_type;
         ')
-	
+
 	files_search_var_lib($1)
 	allow $1 systemd_unit_file_type:dir search_dir_perms;
 ')

policy/modules/system/systemd.te

@@ -79,6 +79,9 @@ init_nnp_daemon_domain(systemd_networkd_t)
 type systemd_networkd_unit_file_t;
 systemd_unit_file(systemd_networkd_unit_file_t)
 
+type systemd_cache_t;
+files_type(systemd_cache_t)
+
 type systemd_networkd_var_lib_t;
 files_type(systemd_networkd_var_lib_t)