Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp4035272ybv;
        Sun, 16 Feb 2020 12:03:54 -0800 (PST)
X-Google-Smtp-Source: APXvYqwSzF7SQ5S7WuEAb4Qe+MBkhMj9I20/u1Trgi0zmLQa1/DUcvJXvbPFY5q+pMMkGob7YfhD
X-Received: by 2002:a05:6830:1691:: with SMTP id k17mr10151232otr.282.1581883433986;
        Sun, 16 Feb 2020 12:03:53 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1581883433; cv=none;
        d=google.com; s=arc-20160816;
        b=IwHeuXVffCx1k9984M2sFmeYeZoo2aNWDeQzgOkhv/sDqOoQUmtTZzX5xtSs6fotvJ
         R2RAgPPMrdceY61/+un7WcduoxP+UciVYbFJRLOedbfRn7R1/kKnFLCis1C/8g7bCjFu
         +AMEg/F/FnrXmDqNmI2X96Mgc4+lixoxXbOmwAPnvFOKUn7xMYV7R5zDH9J+fpBmUDp+
         j4H8hppJC96ST3WooTjoWhdA3sRzwcC+uZfbFR4Kd5L1JJKw9nkDB+NH4seyl50tZqh+
         8mIgJevUDMQufPA664j1bytQ5ZFr1PbW2ZiwwNk4hanFVBOyFcAmcwf1UvOS2DPdK2or
         JMKQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=2hTzVkWtEmtI0uGsXvxQ9gH7YMGq4aFDy95h8LD+uhY=;
        b=gFF7q6Hl6hQXY6MoZ+JCUsqPMfBBov4GKxq3LVfOdwtWEYVwJVC/tP5xtEyEFTRX8p
         kOnQ47jcvR0qVMw+SCQl+1FV4l4w6MlEvBfcGfkmzLfDVK5+JaJBBVeppnOVWZD5jhXS
         kQKXnZHZC4p2vgVYxoJUpzKd/ZMYeL0F2ZqPhsJFDZZRi6QER5YbHa0Rdm8lfC0FNus8
         7b9R5Fv1uCmXKPMIhNHkGXoEOTvkAvm3AQF3HTTwc7TS9y9nPzQifPJYr641r5ky5i/S
         RIBNdOucysQnUE6iHgdLLXy8rVDgFNYiZoUtueuXEokHirAaQH6bryORuQMjn1kQ2rKo
         I6AA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@perfinion-com.20150623.gappssmtp.com header.s=20150623 header.b=ZYywouEl;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id s22si5287396oij.35.2020.02.16.12.03.51;
        Sun, 16 Feb 2020 12:03:53 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@perfinion-com.20150623.gappssmtp.com header.s=20150623 header.b=ZYywouEl;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726037AbgBPUDv (ORCPT <rfc822;refpolicysuse@gmail.com>
        + 13 others); Sun, 16 Feb 2020 15:03:51 -0500
Received: from mail-pl1-f170.google.com ([209.85.214.170]:39139 "EHLO
        mail-pl1-f170.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725989AbgBPUDv (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Sun, 16 Feb 2020 15:03:51 -0500
Received: by mail-pl1-f170.google.com with SMTP id g6so5857210plp.6
        for <selinux-refpolicy@vger.kernel.org>; Sun, 16 Feb 2020 12:03:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=perfinion-com.20150623.gappssmtp.com; s=20150623;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=2hTzVkWtEmtI0uGsXvxQ9gH7YMGq4aFDy95h8LD+uhY=;
        b=ZYywouElp3PNSwQPTwII/b8GQ5kcoor2K+Ig5NYVI5L8MVM2Ykn19otdhr49A31vEz
         Xs1Uvngd2DomY0DVMU1HG69yQ8CVRUii41CKFN4A9fs640PmhIjkg/PRK4OMV7xl6Be2
         gwjjQ1J6ola4242k6fribjUW10sE9DuK6QfZ/b6BWh9RY1lRqv59SO0CyitL836Pj/JN
         pZXPC0RNvJYiW7SfcSf9uDHtawRIgdHGtVzZi0Mlthw5zcLXnNjOHPX2cIvCDCsQ9hN0
         Ogrzut9QDx50ni4LcySlehkZ2usiopq3eR8LhWtpl2i67rnsELEqzRdeMjsXoAJ6T+OJ
         F3dg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=2hTzVkWtEmtI0uGsXvxQ9gH7YMGq4aFDy95h8LD+uhY=;
        b=bwEPoQB4f0N7vgjlmz/NGGMEXqpth3rQyCyK6O7IIv1GSxUtWzpb21RDfR4GtByHbH
         ZvhO8XK6eBkDTxjcRD7RaIaSZlEOf+EzRNo4La09KeN9uKdptJj52/cAf3mQiE40eprb
         3+TqiaB72zo+SLpxo4tMXaLaN5lleLb2z1QRz/mM5cNBR6h5vujxNivKvL1xGVGLyEpN
         LdGbySLT+v5houkN0Olw7HEaR30xh43HYH5RzaGY4jpUHXoG6ycC8QcAUVGZ2ELLFgiv
         6+KRf2kyY2gYaoXfc3fJFkEmHOd2WUCRh1TBYxjiRf1tv9HElvUXmBT3WvC+yUBbETWc
         vY0w==
X-Gm-Message-State: APjAAAUyP2f3Rv4kjhYHupQFss0P/h4nrPupXKvpmd6ZqbTVeR+4xlbx
        PO5WpMaIm874jPFRpyxWaja0HLbw0UM=
X-Received: by 2002:a17:902:524:: with SMTP id 33mr13342777plf.241.1581883430733;
        Sun, 16 Feb 2020 12:03:50 -0800 (PST)
Received: from localhost ([101.127.140.252])
        by smtp.gmail.com with ESMTPSA id l21sm14501432pgo.33.2020.02.16.12.03.49
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 16 Feb 2020 12:03:50 -0800 (PST)
From:   Jason Zaman <jason@perfinion.com>
To:     selinux-refpolicy@vger.kernel.org
Cc:     Jason Zaman <jason@perfinion.com>
Subject: [PATCH 03/10] accountsd: Add watch perms
Date:   Mon, 17 Feb 2020 04:03:12 +0800
Message-Id: <20200216200319.39337-3-jason@perfinion.com>
X-Mailer: git-send-email 2.24.1
In-Reply-To: <20200216200319.39337-1-jason@perfinion.com>
References: <20200216200319.39337-1-jason@perfinion.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

avc:  denied  { watch } for  pid=7134 comm="gmain" path="/var/log" dev="zfs" ino=7092 scontext=system_u:system_r:accounts _t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=7134 comm="gmain" path="/etc" dev="zfs" ino=1436 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 policy/modules/services/accountsd.te |  2 ++
 policy/modules/system/logging.if     | 18 ++++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
index 9bf5962a..2e13e943 100644
--- a/policy/modules/services/accountsd.te
+++ b/policy/modules/services/accountsd.te
@@ -40,6 +40,7 @@ dev_read_sysfs(accountsd_t)
 
 files_read_mnt_files(accountsd_t)
 files_read_usr_files(accountsd_t)
+files_watch_etc_dirs(accountsd_t)
 
 fs_getattr_xattr_fs(accountsd_t)
 fs_list_inotifyfs(accountsd_t)
@@ -54,6 +55,7 @@ miscfiles_read_localization(accountsd_t)
 logging_list_logs(accountsd_t)
 logging_send_syslog_msg(accountsd_t)
 logging_set_loginuid(accountsd_t)
+logging_watch_generic_logs_dir(accountsd_t)
 
 userdom_read_user_tmp_files(accountsd_t)
 userdom_read_user_home_content_files(accountsd_t)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 9c7a0dba..b2bba984 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -1224,6 +1224,24 @@ interface(`logging_manage_generic_logs',`
 	manage_files_pattern($1, var_log_t, var_log_t)
 ')
 
+########################################
+## <summary>
+##	Watch generic log dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_watch_generic_logs_dir',`
+	gen_require(`
+		type var_log_t;
+	')
+
+	allow $1 var_log_t:dir watch;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to administrate
-- 
2.24.1