From: nicolas.iooss@m4x.org (Nicolas Iooss) Date: Sun, 7 Sep 2014 23:28:15 +0200 Subject: [refpolicy] [PATCH v2 6/7] Allow journald to access to the state of all processes In-Reply-To: <1410125296-26728-1-git-send-email-nicolas.iooss@m4x.org> References: <1410125296-26728-1-git-send-email-nicolas.iooss@m4x.org> Message-ID: <1410125296-26728-6-git-send-email-nicolas.iooss@m4x.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com When a process sends a syslog message to journald, journald records information such as command, executable, cgroup, etc.: http://cgit.freedesktop.org/systemd/systemd/tree/src/journal/journald-server.c?id=v215#n589 This needs domain_read_all_domains_state. --- policy/modules/system/logging.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index e0d9b5ec7b34..c2fb80d6062e 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -442,6 +442,8 @@ dev_read_sysfs(syslogd_t) dev_rw_kmsg(syslogd_t) domain_use_interactive_fds(syslogd_t) +# Allow access to /proc/ information for journald +domain_read_all_domains_state(syslogd_t) files_read_etc_files(syslogd_t) files_read_usr_files(syslogd_t) -- 2.1.0