commit: cc6930453f9123999e2be8338b3a92599e82be78 Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org> AuthorDate: Sun Sep 7 21:28:13 2014 +0000 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> CommitDate: Sat Sep 13 09:30:07 2014 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cc693045
Support logging with /run/systemd/journal/dev-log In June 2014 systemd moved the socket used by journald to /run. This requires two new directory search access for every domain sending syslog messages: * /run/systemd/ (handled by init_search_run) * /run/systemd/journal/ (labeled syslogd_var_run_t) systemd commit: http://cgit.freedesktop.org/systemd/systemd/commit/units/systemd-journald-dev-log.socket?id=03ee5c38cb0da193dd08733fb4c0c2809cee6a99 --- policy/modules/system/logging.if | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if index 6bd6586..042aa70 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -530,12 +530,16 @@ interface(`logging_log_filetrans',` # interface(`logging_send_syslog_msg',` gen_require(` - type syslogd_t, devlog_t; + type syslogd_t, syslogd_var_run_t, devlog_t; ') allow $1 devlog_t:lnk_file read_lnk_file_perms; allow $1 devlog_t:sock_file write_sock_file_perms; + # systemd journal socket is in /run/systemd/journal/dev-log + init_search_run($1) + allow $1 syslogd_var_run_t:dir search_dir_perms; + # the type of socket depends on the syslog daemon allow $1 syslogd_t:unix_dgram_socket sendto; allow $1 syslogd_t:unix_stream_socket connectto;
