diff options
author | Dave Sugar <dsugar100@gmail.com> | 2022-08-25 22:45:24 -0400 |
---|---|---|
committer | Jason Zaman <perfinion@gentoo.org> | 2022-09-03 12:07:50 -0700 |
commit | d63d91588adf55e6867440af9b9f6a4fe6c166f6 (patch) | |
tree | b60a705c1b54673e6c30323baccb4022aeaeda91 | |
parent | firewalld: firewalld-cmd uses dbus (diff) | |
download | hardened-refpolicy-d63d91588adf55e6867440af9b9f6a4fe6c166f6.tar.gz hardened-refpolicy-d63d91588adf55e6867440af9b9f6a4fe6c166f6.tar.bz2 hardened-refpolicy-d63d91588adf55e6867440af9b9f6a4fe6c166f6.zip |
systemd: init_t creates systemd-logind 'linger' directory
node=localhost type=AVC msg=audit(1661480051.880:321): avc: denied { create } for pid=1027 comm="(d-logind)" name="linger" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_logind_var_lib_t:s0 tclass=dir permissive=0
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
-rw-r--r-- | policy/modules/system/init.te | 1 | ||||
-rw-r--r-- | policy/modules/system/systemd.if | 21 |
2 files changed, 22 insertions, 0 deletions
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 285ee5b40..9ecaae54b 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -551,6 +551,7 @@ ifdef(`init_systemd',` optional_policy(` systemd_dbus_chat_logind(init_t) + systemd_create_logind_linger_dir(init_t) systemd_search_all_user_keys(init_t) systemd_create_all_user_keys(init_t) systemd_write_all_user_keys(init_t) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index f48cc5413..2370c729b 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -2033,6 +2033,27 @@ interface(`systemd_read_logind_state',` ######################################## ## <summary> +## Allow the specified domain to create +## the systemd-logind linger directory with +## the correct context. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`systemd_create_logind_linger_dir',` + gen_require(` + type systemd_logind_var_lib_t; + ') + + init_var_lib_filetrans($1, systemd_logind_var_lib_t, dir, "linger") + allow $1 systemd_logind_var_lib_t:dir create; +') + +######################################## +## <summary> ## Allow the specified domain to start systemd ## user manager units (systemd --user). ## </summary> |