From: nicolas.iooss@m4x.org (Nicolas Iooss) Date: Sun, 7 Sep 2014 23:28:13 +0200 Subject: [refpolicy] [PATCH v2 4/7] Support logging with /run/systemd/journal/dev-log In-Reply-To: <1410125296-26728-1-git-send-email-nicolas.iooss@m4x.org> References: <1410125296-26728-1-git-send-email-nicolas.iooss@m4x.org> Message-ID: <1410125296-26728-4-git-send-email-nicolas.iooss@m4x.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com In June 2014 systemd moved the socket used by journald to /run. This requires two new directory search access for every domain sending syslog messages: * /run/systemd/ (handled by init_search_run) * /run/systemd/journal/ (labeled syslogd_var_run_t) systemd commit: http://cgit.freedesktop.org/systemd/systemd/commit/units/systemd-journald-dev-log.socket?id=03ee5c38cb0da193dd08733fb4c0c2809cee6a99 --- policy/modules/system/logging.if | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if index 4e94884637dc..21c4f522515b 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -530,12 +530,16 @@ interface(`logging_log_filetrans',` # interface(`logging_send_syslog_msg',` gen_require(` - type syslogd_t, devlog_t; + type syslogd_t, syslogd_var_run_t, devlog_t; ') allow $1 devlog_t:lnk_file read_lnk_file_perms; allow $1 devlog_t:sock_file write_sock_file_perms; + # systemd journal socket is in /run/systemd/journal/dev-log + init_search_run($1) + allow $1 syslogd_var_run_t:dir search_dir_perms; + # the type of socket depends on the syslog daemon allow $1 syslogd_t:unix_dgram_socket sendto; allow $1 syslogd_t:unix_stream_socket connectto; -- 2.1.0