Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.6 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS, USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A9633C43387 for ; Tue, 8 Jan 2019 11:41:58 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 786AE2087E for ; Tue, 8 Jan 2019 11:41:58 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="TjD6c1XU" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728186AbfAHLl6 (ORCPT ); Tue, 8 Jan 2019 06:41:58 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:38190 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727107AbfAHLl6 (ORCPT ); Tue, 8 Jan 2019 06:41:58 -0500 Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id 15EEEF63D for ; Tue, 8 Jan 2019 22:41:56 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1546947716; bh=Mp5p8Rc7IzFNDNKTBNrqzUcQkMjBowqGjpBiyCToNzo=; l=1474; h=Date:From:To:Subject:From; b=TjD6c1XUz+/hE/ut0ITdvzDd1NEw+Qjn3tr6py7iJ1sb2MSKncLNgXodYUsIiI/cy 66TCFSbyt0FzkliDlroieusf2zjPdRz9ykhEv2EYcUVRdkQy450rU5KY6tFAI9g2+B uz3inJ6O9gg9rOwoTXdI67+u0TRzrW7hQHqVfKOQ= Received: by xev.coker.com.au (Postfix, from userid 1001) id 0EBE1C40615; Tue, 8 Jan 2019 22:41:51 +1100 (AEDT) Date: Tue, 8 Jan 2019 22:41:51 +1100 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: [PATCH] /run/systemd/units/ links Message-ID: <20190108114151.GA416@xev> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org This allows systemd-journald to read /run/systemd/units/ link files. Index: refpolicy-2.20180701/policy/modules/system/logging.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/system/logging.te +++ refpolicy-2.20180701/policy/modules/system/logging.te @@ -547,6 +547,7 @@ ifdef(`init_systemd',` init_create_pid_dirs(syslogd_t) init_daemon_pid_file(syslogd_var_run_t, dir, "syslogd") init_getattr(syslogd_t) + init_read_run_links(syslogd_t) init_rename_pid_files(syslogd_t) init_delete_pid_files(syslogd_t) init_dgram_send(syslogd_t) Index: refpolicy-2.20180701/policy/modules/system/init.if =================================================================== --- refpolicy-2.20180701.orig/policy/modules/system/init.if +++ refpolicy-2.20180701/policy/modules/system/init.if @@ -894,6 +894,26 @@ interface(`init_dgram_send',` ######################################## ## +## read init /run link files +## +## +## +## Domain allowed access. +## +## +## +# +interface(`init_read_run_links',` + gen_require(` + type init_var_run_t; + ') + + files_search_pids($1) + allow $1 init_var_run_t:lnk_file read_lnk_file_perms; +') + +######################################## +## ## Read and write to inherited init unix streams. ## ##