diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc index 3b0302b6f..16905d6bc 100644 --- a/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc @@ -1,3 +1,5 @@ +/etc/\.updated -- gen_context(system_u:object_r:systemd_update_run_t,s0) + /etc/udev/hwdb\.bin -- gen_context(system_u:object_r:systemd_hwdb_t,s0) /run/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0) @@ -46,6 +48,8 @@ /usr/lib/systemd/system/systemd-networkd.* gen_context(system_u:object_r:systemd_networkd_unit_t,s0) /usr/lib/systemd/system/systemd-rfkill.* -- gen_context(system_u:object_r:systemd_rfkill_unit_t,s0) +/var/\.updated -- gen_context(system_u:object_r:systemd_update_run_t,s0) + /var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0) /var/lib/systemd/coredump(/.*)? gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0) /var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 47b7c7e7e..56c82c83f 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1126,12 +1126,13 @@ optional_policy(` # Update Done local policy # -allow systemd_update_done_t systemd_update_run_t:file manage_file_perms; +allow systemd_update_done_t self:process setfscreate; -dev_write_kmsg(systemd_update_done_t) +allow systemd_update_done_t systemd_update_run_t:file manage_file_perms; files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated") files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated") -kernel_read_system_state(systemd_update_done_t) +seutil_read_file_contexts(systemd_update_done_t) +systemd_log_parse_environment(systemd_update_done_t)