From c0b1c7be6666151f808a43438cdbed93769f5e78 Mon Sep 17 00:00:00 2001 From: Kenton Groombridge Date: Fri, 9 Apr 2021 10:56:49 -0400 Subject: [PATCH] init: allow systemd to rw shadow lock files This is in support of dynamic users. Signed-off-by: Kenton Groombridge --- policy/modules/system/init.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 32b48ec53..b1afa4eb0 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -476,6 +476,8 @@ ifdef(`init_systemd',` auth_relabel_login_records(init_t) auth_relabel_pam_console_data_dirs(init_t) auth_domtrans_chk_passwd(init_t) + # for systemd dynamic users + auth_rw_shadow_lock(init_t) logging_manage_runtime_sockets(init_t) logging_relabelto_devlog_sock_files(init_t)