commit: 5979688e9262dcd53700afcc47f3a053d906ec3b Author: Kenton Groombridge <me <AT> concord <DOT> sh> AuthorDate: Mon Mar 6 18:23:11 2023 +0000 Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org> CommitDate: Fri Mar 31 17:11:32 2023 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5979688e
logging, systemd: allow relabelfrom,relabelto on systemd journal files by systemd-journald journald's journal-offline will relabel log files. It should be noted however that this happens even if the files already have the correct label. avc: granted { relabelfrom } for pid=11440 comm="journal-offline" name=".#system <AT> 97c1c6b7d7ed4333b671d09d9deee851-00000000003d4f26-0005f63f0972fd4c.journalb23e70204ab1737e" dev="dm-0" ino=418415 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=0 avc: granted { relabelto } for pid=11440 comm="journal-offline" name=".#system <AT> 97c1c6b7d7ed4333b671d09d9deee851-00000000003d4f26-0005f63f0972fd4c.journalb23e70204ab1737e" dev="dm-0" ino=418415 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=0 Signed-off-by: Kenton Groombridge <me <AT> concord.sh> Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org> policy/modules/system/logging.te | 2 ++ policy/modules/system/systemd.if | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index aa436b639..227dc6776 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -566,6 +566,8 @@ ifdef(`init_systemd',` systemd_manage_journal_files(syslogd_t) systemd_watch_journal_dirs(syslogd_t) + systemd_relabelfrom_journal_files(syslogd_t) + systemd_relabelto_journal_files(syslogd_t) udev_read_runtime_files(syslogd_t) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index a903282f0..77a59c662 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -1775,6 +1775,24 @@ interface(`systemd_watch_journal_dirs',` allow $1 systemd_journal_t:dir watch; ') +######################################## +## <summary> +## Relabel from systemd-journald file type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`systemd_relabelfrom_journal_files',` + gen_require(` + type systemd_journal_t; + ') + + allow $1 systemd_journal_t:file relabelfrom_file_perms; +') + ######################################## ## <summary> ## Relabel to systemd-journald directory type.