journald: allow to remove /run/log/journal

it happens when switching from tmpfs to persistent storage Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
2020-02-18 15:13:29 +00:00 · 2020-02-18 15:13:29 +00:00 · 6afabe971f
parent 2400f6a74c
commit 6afabe971f
1 changed files with 3 additions and 0 deletions
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@ -529,6 +529,9 @@ ifdef(`init_systemd',`
 	allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
 	allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write };

+	# remove /run/log/journal when switching to permanent storage
+	allow syslogd_t var_log_t:dir rmdir;
+
 	kernel_getattr_dgram_sockets(syslogd_t)
 	kernel_read_ring_buffer(syslogd_t)
 	kernel_rw_stream_sockets(syslogd_t)