From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1263199-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 9822A1382C5
	for <garchives@archives.gentoo.org>; Sun, 21 Mar 2021 22:11:02 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id E9BF9E0869;
	Sun, 21 Mar 2021 22:11:01 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id C9618E0869
	for <gentoo-commits@lists.gentoo.org>; Sun, 21 Mar 2021 22:11:01 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 8DDFE33E690
	for <gentoo-commits@lists.gentoo.org>; Sun, 21 Mar 2021 22:11:00 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id CB6405FC
	for <gentoo-commits@lists.gentoo.org>; Sun, 21 Mar 2021 22:10:57 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1613418564.c7679c9a675138403d7e84d096c5c911b8635ea9.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/system/systemd.if
X-VCS-Directories: policy/modules/system/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: c7679c9a675138403d7e84d096c5c911b8635ea9
X-VCS-Branch: master
Date: Sun, 21 Mar 2021 22:10:57 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: 15948fa7-ea24-4926-bb65-8ec8f2abafe0
X-Archives-Hash: 7e986c08f2f0e35bb3c370cdf04efce6

commit:     c7679c9a675138403d7e84d096c5c911b8635ea9
Author:     Krzysztof Nowicki <krissn <AT> op <DOT> pl>
AuthorDate: Wed Feb  3 06:35:13 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 15 19:49:24 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c7679c9a

When using systemd_tmpfilesd_managed also grant directory permissions

This allows systemd-tmpfilesd to create files inside directories
belonging to the subject domain.

Signed-off-by: Krzysztof Nowicki <krissn <AT> op.pl>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index fb20b528..6a66a2d7 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -1174,6 +1174,7 @@ interface(`systemd_tmpfilesd_managed',`
 		type systemd_tmpfiles_t;
 	')
 
+	allow systemd_tmpfiles_t $1:dir list_dir_perms;
 	allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
 ')