systemd: allow systemd-resolved to manage link files

The systemd-resolved may create a symlink stub-resolv.conf pointing to resolv.conf under /run/system/resolve directory. Fixes: avc: denied { create } for pid=329 comm="systemd-resolve" name=".#stub-resolv.conf53cb7f9d1e3aa72b" scontext=system_u:system_r:systemd_resolved_t:s0-s15:c0.c1023 tcontext=system_u:object_r:systemd_resolved_runtime_t:s0 tclass=lnk_file permissive=0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2021-01-25 14:14:59 +08:00 · 2021-01-25 14:14:59 +08:00 · b1f16bf755
commit b1f16bf755
parent e639a14d4c
1 changed files with 1 additions and 0 deletions
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@ -1422,6 +1422,7 @@ allow systemd_resolved_t systemd_networkd_runtime_t:dir watch;

 manage_dirs_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
 manage_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
+manage_lnk_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
 manage_sock_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
 init_runtime_filetrans(systemd_resolved_t, systemd_resolved_runtime_t, dir)