commit: 5979688e9262dcd53700afcc47f3a053d906ec3b
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Mon Mar 6 18:23:11 2023 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 31 17:11:32 2023 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5979688e
logging, systemd: allow relabelfrom,relabelto on systemd journal files by
systemd-journald
journald's journal-offline will relabel log files. It should be noted
however that this happens even if the files already have the correct
label.
avc: granted { relabelfrom } for pid=11440 comm="journal-offline"
name=".#system <AT>
97c1c6b7d7ed4333b671d09d9deee851-00000000003d4f26-0005f63f0972fd4c.journalb23e70204ab1737e"
dev="dm-0" ino=418415 scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=0
avc: granted { relabelto } for pid=11440 comm="journal-offline"
name=".#system <AT>
97c1c6b7d7ed4333b671d09d9deee851-00000000003d4f26-0005f63f0972fd4c.journalb23e70204ab1737e"
dev="dm-0" ino=418415 scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=0
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/system/logging.te | 2 ++
policy/modules/system/systemd.if | 18 ++++++++++++++++++
2 files changed, 20 insertions(+)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index aa436b639..227dc6776 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -566,6 +566,8 @@ ifdef(`init_systemd',`
systemd_manage_journal_files(syslogd_t)
systemd_watch_journal_dirs(syslogd_t)
+ systemd_relabelfrom_journal_files(syslogd_t)
+ systemd_relabelto_journal_files(syslogd_t)
udev_read_runtime_files(syslogd_t)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index a903282f0..77a59c662 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -1775,6 +1775,24 @@ interface(`systemd_watch_journal_dirs',`
allow $1 systemd_journal_t:dir watch;
')
+########################################
+## <summary>
+## Relabel from systemd-journald file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_relabelfrom_journal_files',`
+ gen_require(`
+ type systemd_journal_t;
+ ')
+
+ allow $1 systemd_journal_t:file relabelfrom_file_perms;
+')
+
########################################
## <summary>
## Relabel to systemd-journald directory type.
