From: pebenito@ieee.org (Chris PeBenito)
Date: Fri, 29 Dec 2017 10:28:01 -0500
Subject: [refpolicy] [PATCH] some file:map additions,
 and support /etc/resolv.conf symlink
In-Reply-To: <20171228051517.GA7925@aaa.coker.com.au>
References: <20171228051517.GA7925@aaa.coker.com.au>
Message-ID: <5223ff6c-f0be-b09f-3307-b605991ad892@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/28/2017 12:16 AM, Russell Coker via refpolicy wrote:
> This patch adds some file:map permissions, changes sysnet_dns_name_resolve()
> to support the case where /etc/resolv.conf is a symlink to /run/NetworkManager,
> and allows useradd and groupadd to talk to dbus.
> 
> This was written to support Debian/Testing with the latest git policy.
> 
> Index: refpolicy-2.20171228/policy/modules/system/logging.te
> ===================================================================
> --- refpolicy-2.20171228.orig/policy/modules/system/logging.te
> +++ refpolicy-2.20171228/policy/modules/system/logging.te
> @@ -418,6 +418,8 @@ files_pid_filetrans(syslogd_t, syslogd_t
>   # manage temporary files
>   manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
>   manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
> +allow syslogd_t syslogd_tmp_t:file map;
> +
>   files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
>   
>   manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
> @@ -426,6 +428,8 @@ files_search_var_lib(syslogd_t)
>   
>   # manage pid file
>   manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
> +allow syslogd_t syslogd_var_run_t:file map;

Are these above perms due to journald?  If so, they should be in the 
init_systemd block.


-- 
Chris PeBenito