From: pebenito@ieee.org (Chris PeBenito) Date: Fri, 29 Dec 2017 10:28:01 -0500 Subject: [refpolicy] [PATCH] some file:map additions, and support /etc/resolv.conf symlink In-Reply-To: <20171228051517.GA7925@aaa.coker.com.au> References: <20171228051517.GA7925@aaa.coker.com.au> Message-ID: <5223ff6c-f0be-b09f-3307-b605991ad892@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/28/2017 12:16 AM, Russell Coker via refpolicy wrote: > This patch adds some file:map permissions, changes sysnet_dns_name_resolve() > to support the case where /etc/resolv.conf is a symlink to /run/NetworkManager, > and allows useradd and groupadd to talk to dbus. > > This was written to support Debian/Testing with the latest git policy. > > Index: refpolicy-2.20171228/policy/modules/system/logging.te > =================================================================== > --- refpolicy-2.20171228.orig/policy/modules/system/logging.te > +++ refpolicy-2.20171228/policy/modules/system/logging.te > @@ -418,6 +418,8 @@ files_pid_filetrans(syslogd_t, syslogd_t > # manage temporary files > manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) > manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) > +allow syslogd_t syslogd_tmp_t:file map; > + > files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) > > manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) > @@ -426,6 +428,8 @@ files_search_var_lib(syslogd_t) > > # manage pid file > manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) > +allow syslogd_t syslogd_var_run_t:file map; Are these above perms due to journald? If so, they should be in the init_systemd block. -- Chris PeBenito