[refpolicy] [PATCH 1/1] Fix problem labeling /run/log/journal/*

David Sugar dsugar at tresys.com
Mon Oct 9 21:15:13 UTC 2017


Fix the following denials I was seeing in dmesg from init_t (systemd) when attempting to relabel /run/log/journal/*

[    4.758398] type=1400 audit(1507601754.187:3): avc:  denied  { relabelto } for  pid=1 comm="systemd" name="log" dev="tmpfs" ino=1365 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
[    4.758541] systemd[1]: Unable to fix SELinux security context of /run/log: Permission denied
[    4.758736] type=1400 audit(1507601754.187:4): avc:  denied  { relabelto } for  pid=1 comm="systemd" name="journal" dev="tmpfs" ino=7004 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir
[    4.758773] systemd[1]: Unable to fix SELinux security context of /run/log/journal: Permission denied
[    4.758928] type=1400 audit(1507601754.187:5): avc:  denied  { relabelto } for  pid=1 comm="systemd" name="791393fb4b8f4a59af4266b634b218e2" dev="tmpfs" ino=7005 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir
[    4.758960] systemd[1]: Unable to fix SELinux security context of /run/log/journal/791393fb4b8f4a59af4266b634b218e2: Permission denied
[    4.759144] type=1400 audit(1507601754.187:6): avc:  denied  { relabelto } for  pid=1 comm="systemd" name="system.journal" dev="tmpfs" ino=7006 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file
[    4.759196] systemd[1]: Unable to fix SELinux security context of /run/log/journal/791393fb4b8f4a59af4266b634b218e2/system.journal: Permission denied

Signed-off-by: Dave Sugar <dsugar at tresys.com>
---
 policy/modules/system/init.te    |  3 +++
 policy/modules/system/systemd.if | 40 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 43 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 0aecd169..df5e1611 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -320,12 +320,15 @@ ifdef(`init_systemd',`
 	logging_manage_pid_sockets(init_t)
 	logging_send_audit_msgs(init_t)
 	logging_relabelto_devlog_sock_files(init_t)
+	logging_relabel_generic_log_dirs(init_t)
 
 	systemd_manage_passwd_runtime_symlinks(init_t)
 	systemd_use_passwd_agent(init_t)
 	systemd_list_tmpfiles_conf(init_t)
 	systemd_relabelto_tmpfiles_conf_dirs(init_t)
 	systemd_relabelto_tmpfiles_conf_files(init_t)
+	systemd_relabelto_journal_dirs(init_t)
+	systemd_relabelto_journal_files(init_t)
 
 	term_create_devpts_dirs(init_t)
 
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 766f33fb..69669a1a 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -348,6 +348,46 @@ interface(`systemd_manage_journal_files',`
 	manage_files_pattern($1, systemd_journal_t, systemd_journal_t)
 ')
 
+
+########################################
+## <summary>
+##	Relabel to systemd-journald directory type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_relabelto_journal_dirs',`
+	gen_require(`
+		type systemd_journal_t;
+	')
+
+	files_search_var($1)
+	allow $1 systemd_journal_t:dir relabelto_dir_perms;
+')
+
+########################################
+## <summary>
+##	Relabel to systemd-journald file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_relabelto_journal_files',`
+	gen_require(`
+		type systemd_journal_t;
+	')
+
+	files_search_var($1)
+	list_dirs_pattern($1,systemd_journal_t,systemd_journal_t)
+	allow $1 systemd_journal_t:file relabelto_file_perms;
+')
+
 ########################################
 ## <summary>
 ##     Allow systemd_logind_t to read process state for cgroup file
-- 
2.13.5


More information about the refpolicy mailing list