From fdd3334f00f397aa2e5ca8700a756dc8637eda70 Mon Sep 17 00:00:00 2001
From: Dave Sugar <dsugar100@gmail.com>
Date: Sun, 10 Dec 2023 21:00:30 -0500
Subject: The L+ tmpfiles option needs to read the symlink

node=localhost type=AVC msg=audit(1701956913.910:21672): avc:  denied  {
read } for  pid=3783 comm="systemd-tmpfile" name="motd" dev="tmpfs" ino=1812 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:cockpit_runtime_t:s0 tclass=lnk_file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
---
 policy/modules/system/systemd.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'policy')

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 211c8588..a7bdc8f8 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -2439,7 +2439,7 @@ interface(`systemd_tmpfilesd_managed',`
 
 	allow systemd_tmpfiles_t $1:dir { manage_dir_perms relabel_dir_perms  };
 	allow systemd_tmpfiles_t $1:file { create setattr unlink write_file_perms relabel_file_perms };
-	allow systemd_tmpfiles_t $1:lnk_file { create setattr unlink relabel_lnk_file_perms };
+	allow systemd_tmpfiles_t $1:lnk_file { create read setattr unlink relabel_lnk_file_perms };
 	allow systemd_tmpfiles_t $1:fifo_file { create setattr unlink relabel_fifo_file_perms };
 
 	ifelse(`$2',`',`',`
-- 
cgit v1.2.3-65-gdbad