Allow systemd-tmpfilesd to relabel generic files inside /etc
Enable this only with the systemd_tmpfilesd_factory tunable, otherwise
silence the messages with a dontaudit rule.
Fixes:
avc: denied { relabelfrom } for comm="systemd-tmpfile"
name="pam.d" dev= ino=
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=dir
Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
This commit is contained in:
Krzysztof Nowicki
parent
68e5f4d3f3
commit
900a51f134
|
|
@ -1609,6 +1609,25 @@ interface(`files_relabel_config_dirs',`
|
|||
relabel_dirs_pattern($1, configfile, configfile)
|
||||
')
|
||||
|
||||
#########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to relabel configuration directories
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain not to audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
##
|
||||
#
|
||||
interface(`files_dontaudit_relabel_config_dirs',`
|
||||
gen_require(`
|
||||
attribute configfile;
|
||||
')
|
||||
|
||||
dontaudit $1 configfile:dir relabel_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read config files in /etc.
|
||||
|
|
@ -1667,6 +1686,25 @@ interface(`files_relabel_config_files',`
|
|||
relabel_files_pattern($1, configfile, configfile)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Do not audit attempts to relabel configuration files
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain not to audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
##
|
||||
#
|
||||
interface(`files_dontaudit_relabel_config_files',`
|
||||
gen_require(`
|
||||
attribute configfile;
|
||||
')
|
||||
|
||||
dontaudit $1 configfile:file relabel_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Mount a filesystem on all mount points.
|
||||
|
|
|
|||
|
|
@ -1394,11 +1394,15 @@ tunable_policy(`systemd_tmpfilesd_factory', `
|
|||
allow systemd_tmpfiles_t systemd_factory_conf_t:file read_file_perms;
|
||||
|
||||
files_manage_etc_files(systemd_tmpfiles_t)
|
||||
files_relabel_config_dirs(systemd_tmpfiles_t)
|
||||
files_relabel_config_files(systemd_tmpfiles_t)
|
||||
',`
|
||||
dontaudit systemd_tmpfiles_t systemd_factory_conf_t:dir list_dir_perms;
|
||||
dontaudit systemd_tmpfiles_t systemd_factory_conf_t:file read_file_perms;
|
||||
|
||||
files_dontaudit_manage_etc_files(systemd_tmpfiles_t)
|
||||
files_dontaudit_relabel_config_dirs(systemd_tmpfiles_t)
|
||||
files_dontaudit_relabel_config_files(systemd_tmpfiles_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
|
|||
Loading…
Reference in New Issue