Allow systemd-tmpfilesd to relabel generic files inside /etc
Enable this only with the systemd_tmpfilesd_factory tunable, otherwise silence the messages with a dontaudit rule. Fixes: avc: denied { relabelfrom } for comm="systemd-tmpfile" name="pam.d" dev= ino= scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir Signed-off-by: Krzysztof Nowicki <krissn@op.pl>
This commit is contained in:
parent
68e5f4d3f3
commit
900a51f134
|
@ -1609,6 +1609,25 @@ interface(`files_relabel_config_dirs',`
|
||||||
relabel_dirs_pattern($1, configfile, configfile)
|
relabel_dirs_pattern($1, configfile, configfile)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
#########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to relabel configuration directories
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain not to audit.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
##
|
||||||
|
#
|
||||||
|
interface(`files_dontaudit_relabel_config_dirs',`
|
||||||
|
gen_require(`
|
||||||
|
attribute configfile;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 configfile:dir relabel_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read config files in /etc.
|
## Read config files in /etc.
|
||||||
|
@ -1667,6 +1686,25 @@ interface(`files_relabel_config_files',`
|
||||||
relabel_files_pattern($1, configfile, configfile)
|
relabel_files_pattern($1, configfile, configfile)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to relabel configuration files
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain not to audit.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
##
|
||||||
|
#
|
||||||
|
interface(`files_dontaudit_relabel_config_files',`
|
||||||
|
gen_require(`
|
||||||
|
attribute configfile;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 configfile:file relabel_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Mount a filesystem on all mount points.
|
## Mount a filesystem on all mount points.
|
||||||
|
|
|
@ -1394,11 +1394,15 @@ tunable_policy(`systemd_tmpfilesd_factory', `
|
||||||
allow systemd_tmpfiles_t systemd_factory_conf_t:file read_file_perms;
|
allow systemd_tmpfiles_t systemd_factory_conf_t:file read_file_perms;
|
||||||
|
|
||||||
files_manage_etc_files(systemd_tmpfiles_t)
|
files_manage_etc_files(systemd_tmpfiles_t)
|
||||||
|
files_relabel_config_dirs(systemd_tmpfiles_t)
|
||||||
|
files_relabel_config_files(systemd_tmpfiles_t)
|
||||||
',`
|
',`
|
||||||
dontaudit systemd_tmpfiles_t systemd_factory_conf_t:dir list_dir_perms;
|
dontaudit systemd_tmpfiles_t systemd_factory_conf_t:dir list_dir_perms;
|
||||||
dontaudit systemd_tmpfiles_t systemd_factory_conf_t:file read_file_perms;
|
dontaudit systemd_tmpfiles_t systemd_factory_conf_t:file read_file_perms;
|
||||||
|
|
||||||
files_dontaudit_manage_etc_files(systemd_tmpfiles_t)
|
files_dontaudit_manage_etc_files(systemd_tmpfiles_t)
|
||||||
|
files_dontaudit_relabel_config_dirs(systemd_tmpfiles_t)
|
||||||
|
files_dontaudit_relabel_config_files(systemd_tmpfiles_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
|
Loading…
Reference in New Issue