From c8c418267d093a8c370c1460956f6fde9c0f3fc1 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 21 Jan 2020 13:25:32 -0500 Subject: [PATCH 1/2] systemd: Add systemd-tty-ask watch for /run/systemd/ask-password. Signed-off-by: Chris PeBenito --- policy/modules/system/systemd.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 985105ed9..99886239d 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1020,6 +1020,7 @@ allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal }; allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms; +allow systemd_passwd_agent_t systemd_passwd_var_run_t:dir watch; manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t) manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t) manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t) From b3204ea4c194483b8ae46ba76f5fff22bf31b132 Mon Sep 17 00:00:00 2001 From: Daniel Burgener Date: Fri, 11 Dec 2020 18:22:42 +0000 Subject: [PATCH 2/2] Allow systemd-ask-password to watch files On systems that use plymouth, systemd-ask-password may set watches on the contents on /run/systemd/ask-password, whereas other scenarions only set watch on the parent directory. Signed-off-by: Daniel Burgener --- policy/modules/system/systemd.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 99886239d..8772ddf02 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1020,7 +1020,7 @@ allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal }; allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms; -allow systemd_passwd_agent_t systemd_passwd_var_run_t:dir watch; +allow systemd_passwd_agent_t systemd_passwd_var_run_t:{ dir file } watch; manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t) manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t) manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)