diff options
| author |   Dave Sugar <dsugar100@gmail.com> | 2022-08-26 08:45:38 -0400 |
|---|---|---|
| committer |   Jason Zaman <perfinion@gentoo.org> | 2022-09-03 12:07:50 -0700 |
| commit | d50193d70d6d2620c82c112a534d36a6ff06e6ea (patch) | |
| tree | 77701630604846a96288eb078a1cff9aa9ac5a4b | |
| parent | systemd: init_t creates systemd-logind 'linger' directory (diff) | |
| download | hardened-refpolicy-d50193d70d6d2620c82c112a534d36a6ff06e6ea.tar.gz hardened-refpolicy-d50193d70d6d2620c82c112a534d36a6ff06e6ea.tar.bz2 hardened-refpolicy-d50193d70d6d2620c82c112a534d36a6ff06e6ea.zip | |
systemd: systemd-update-done fix startup issue
Seeing error:
Failed to initalize SELinux labeling handle: No such file or directory
but no denials. With strace (and looking at source) found it is
opening /etc/selinux/config
openat(AT_FDCWD, "/etc/selinux/config", O_RDONLY|O_CLOEXEC) = 3
but that was dontaudited.
allow systemd_update_done_t file_type:filesystem getattr;
allow systemd_update_done_t selinux_config_t:dir { getattr open search };
dontaudit systemd_update_done_t selinux_config_t:dir { getattr open search };
dontaudit systemd_update_done_t selinux_config_t:file { getattr ioctl lock open read };
These changes fix the issue
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
| -rw-r--r-- | policy/modules/system/systemd.te | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 2dc8b901d..1eb35aa4a 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1752,6 +1752,7 @@ kernel_read_kernel_sysctls(systemd_update_done_t) selinux_use_status_page(systemd_update_done_t) +seutil_read_config(systemd_update_done_t) seutil_read_file_contexts(systemd_update_done_t) systemd_log_parse_environment(systemd_update_done_t) |