From: dsugar@tresys.com (David Sugar) Date: Mon, 9 Oct 2017 21:15:13 +0000 Subject: [refpolicy] [PATCH 1/1] Fix problem labeling /run/log/journal/* Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Fix the following denials I was seeing in dmesg from init_t (systemd) when attempting to relabel /run/log/journal/* [ 4.758398] type=1400 audit(1507601754.187:3): avc: denied { relabelto } for pid=1 comm="systemd" name="log" dev="tmpfs" ino=1365 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir [ 4.758541] systemd[1]: Unable to fix SELinux security context of /run/log: Permission denied [ 4.758736] type=1400 audit(1507601754.187:4): avc: denied { relabelto } for pid=1 comm="systemd" name="journal" dev="tmpfs" ino=7004 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir [ 4.758773] systemd[1]: Unable to fix SELinux security context of /run/log/journal: Permission denied [ 4.758928] type=1400 audit(1507601754.187:5): avc: denied { relabelto } for pid=1 comm="systemd" name="791393fb4b8f4a59af4266b634b218e2" dev="tmpfs" ino=7005 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir [ 4.758960] systemd[1]: Unable to fix SELinux security context of /run/log/journal/791393fb4b8f4a59af4266b634b218e2: Permission denied [ 4.759144] type=1400 audit(1507601754.187:6): avc: denied { relabelto } for pid=1 comm="systemd" name="system.journal" dev="tmpfs" ino=7006 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file [ 4.759196] systemd[1]: Unable to fix SELinux security context of /run/log/journal/791393fb4b8f4a59af4266b634b218e2/system.journal: Permission denied Signed-off-by: Dave Sugar --- policy/modules/system/init.te | 3 +++ policy/modules/system/systemd.if | 40 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 0aecd169..df5e1611 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -320,12 +320,15 @@ ifdef(`init_systemd',` logging_manage_pid_sockets(init_t) logging_send_audit_msgs(init_t) logging_relabelto_devlog_sock_files(init_t) + logging_relabel_generic_log_dirs(init_t) systemd_manage_passwd_runtime_symlinks(init_t) systemd_use_passwd_agent(init_t) systemd_list_tmpfiles_conf(init_t) systemd_relabelto_tmpfiles_conf_dirs(init_t) systemd_relabelto_tmpfiles_conf_files(init_t) + systemd_relabelto_journal_dirs(init_t) + systemd_relabelto_journal_files(init_t) term_create_devpts_dirs(init_t) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 766f33fb..69669a1a 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -348,6 +348,46 @@ interface(`systemd_manage_journal_files',` manage_files_pattern($1, systemd_journal_t, systemd_journal_t) ') + +######################################## +## +## Relabel to systemd-journald directory type. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_relabelto_journal_dirs',` + gen_require(` + type systemd_journal_t; + ') + + files_search_var($1) + allow $1 systemd_journal_t:dir relabelto_dir_perms; +') + +######################################## +## +## Relabel to systemd-journald file type. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_relabelto_journal_files',` + gen_require(` + type systemd_journal_t; + ') + + files_search_var($1) + list_dirs_pattern($1,systemd_journal_t,systemd_journal_t) + allow $1 systemd_journal_t:file relabelto_file_perms; +') + ######################################## ## ## Allow systemd_logind_t to read process state for cgroup file -- 2.13.5