diff options
| author |   Dave Sugar <dsugar100@gmail.com> | 2023-12-10 21:00:30 -0500 |
|---|---|---|
| committer |   Kenton Groombridge <concord@gentoo.org> | 2024-03-01 12:02:50 -0500 |
| commit | fdd3334f00f397aa2e5ca8700a756dc8637eda70 (patch) | |
| tree | 2d1d6bca8de54c82f434563930dea86df575b864 /policy | |
| parent | Allow sudo dbus chat w/sysemd-logind (diff) | |
| download | hardened-refpolicy-fdd3334f00f397aa2e5ca8700a756dc8637eda70.tar.gz hardened-refpolicy-fdd3334f00f397aa2e5ca8700a756dc8637eda70.tar.bz2 hardened-refpolicy-fdd3334f00f397aa2e5ca8700a756dc8637eda70.zip | |
The L+ tmpfiles option needs to read the symlink
node=localhost type=AVC msg=audit(1701956913.910:21672): avc: denied {
read } for pid=3783 comm="systemd-tmpfile" name="motd" dev="tmpfs" ino=1812 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:cockpit_runtime_t:s0 tclass=lnk_file permissive=1
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Diffstat (limited to 'policy')
| -rw-r--r-- | policy/modules/system/systemd.if | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 211c85883..a7bdc8f82 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -2439,7 +2439,7 @@ interface(`systemd_tmpfilesd_managed',` allow systemd_tmpfiles_t $1:dir { manage_dir_perms relabel_dir_perms }; allow systemd_tmpfiles_t $1:file { create setattr unlink write_file_perms relabel_file_perms }; - allow systemd_tmpfiles_t $1:lnk_file { create setattr unlink relabel_lnk_file_perms }; + allow systemd_tmpfiles_t $1:lnk_file { create read setattr unlink relabel_lnk_file_perms }; allow systemd_tmpfiles_t $1:fifo_file { create setattr unlink relabel_fifo_file_perms }; ifelse(`$2',`',`',` |