Sugar, David e1ccf0ce02 Allow systemd to getattr all files ... Systemd has ConditionPath.*, ConditionFile.* and ConditionDir* which are used to check various path/file/directory to control starting a service. But this requires getattr permissions on the types. Example denials that fit the problem. The first example is from lvm where accessing config file. type=AVC msg=audit(1575427946.229:1624): avc: denied { getattr } for pid=1 comm="systemd" path="/etc/lvm/lvm.conf" dev="dm-0" ino=51799 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:lvm_etc_t:s0 tclass=file permissive=0 This second example is from chronyd, but it is happening becuase I added the conditional in a drop-in file. type=AVC msg=audit(1575427959.882:1901): avc: denied { getattr } for pid=1 comm="systemd" path="/etc/chrony.conf" dev="dm-0" ino=53824 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:chronyd_conf_t:s0 tclass=file permissive=1 v3 - rework to not use interface and allow getattr for all files Signed-off-by: Dave Sugar <dsugar@tresys.com>		2020-02-08 09:38:25 -05:00
..
admin	various: Module version bump.	2020-01-25 13:48:52 -05:00
apps	Merge pull request #174 from gtrentalancia/master	2020-02-01 14:36:08 -05:00
kernel	systemd, devices: Module version bump.	2020-02-08 09:35:13 -05:00
roles	various: Module version bump.	2020-01-15 10:42:45 -05:00
services	Remove unneeded semicolons after interface and macro calls	2020-01-31 14:41:28 -05:00
system	Allow systemd to getattr all files	2020-02-08 09:38:25 -05:00