diff options
author | Sugar, David <dsugar@tresys.com> | 2019-01-19 16:19:16 +0000 |
---|---|---|
committer | Jason Zaman <jason@perfinion.com> | 2019-02-10 12:11:25 +0800 |
commit | 951ad0b1f01f315117a4fe6b5a327c463a3dfaf1 (patch) | |
tree | ac8739cd78a83b818fee756bfc420af2e0321734 /policy | |
parent | Add interface clamav_run (diff) | |
download | hardened-refpolicy-951ad0b1f01f315117a4fe6b5a327c463a3dfaf1.tar.gz hardened-refpolicy-951ad0b1f01f315117a4fe6b5a327c463a3dfaf1.tar.bz2 hardened-refpolicy-951ad0b1f01f315117a4fe6b5a327c463a3dfaf1.zip |
Add interface to read journal files
When using 'systemctl status <service>' it will show recent
log entries for the selected service. These recent log
entries are coming from the journal. These rules allow the
reading of the journal files.
type=AVC msg=audit(1547760159.435:864): avc: denied { read } for pid=8823 comm="systemctl" name="journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547760159.435:864): avc: denied { open } for pid=8823 comm="systemctl" path="/var/log/journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547760159.435:865): avc: denied { getattr } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547760159.435:866): avc: denied { read } for pid=8823 comm="systemctl" name="system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547760159.435:866): avc: denied { open } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547760159.436:867): avc: denied { map } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
Signed-off-by: Jason Zaman <jason@perfinion.com>
Diffstat (limited to 'policy')
-rw-r--r-- | policy/modules/system/systemd.if | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 740b3a925..c6d40b10c 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -409,6 +409,24 @@ interface(`systemd_manage_journal_files',` allow $1 systemd_journal_t:file map; ') +######################################## +## <summary> +## Allow domain to read systemd_journal_t files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`systemd_read_journal_files',` + gen_require(` + type systemd_journal_t; + ') + + list_dirs_pattern($1, systemd_journal_t, systemd_journal_t) + mmap_read_files_pattern($1, systemd_journal_t, systemd_journal_t) +') ######################################## ## <summary> |