From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id A4D6B158089 for ; Fri, 6 Oct 2023 16:44:41 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 4D6DE2BC03C; Fri, 6 Oct 2023 16:44:38 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 37CC22BC03C for ; Fri, 6 Oct 2023 16:44:38 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 82D74335D31 for ; Fri, 6 Oct 2023 16:44:37 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 60B519F5 for ; Fri, 6 Oct 2023 16:44:34 +0000 (UTC) From: "Kenton Groombridge" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Kenton Groombridge" Message-ID: <1696606305.6a26a817c369000f602f81d7f5da7b0fd5a1bff0.concord@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/systemd.te X-VCS-Directories: policy/modules/system/ X-VCS-Committer: concord X-VCS-Committer-Name: Kenton Groombridge X-VCS-Revision: 6a26a817c369000f602f81d7f5da7b0fd5a1bff0 X-VCS-Branch: master Date: Fri, 6 Oct 2023 16:44:34 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: b86fb305-098d-47be-abb5-41afb9401866 X-Archives-Hash: 8546f39f7b572cd72b88400077db9a53 commit: 6a26a817c369000f602f81d7f5da7b0fd5a1bff0 Author: Yi Zhao windriver com> AuthorDate: Sat Sep 30 10:00:38 2023 +0000 Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:31:45 2023 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6a26a817 systemd: allow journalctl to create /var/lib/systemd/catalog If /var/lib/systemd/catalog doesn't exist at first boot, systemd-journal-catalog-update.service would fail: $ systemctl status systemd-journal-catalog-update.service systemd-journal-catalog-update.service - Rebuild Journal Catalog Loaded: loaded (/usr/lib/systemd/system/systemd-journal-catalog-update.service; static) Active: failed (Result: exit-code) since Sat 2023-09-30 09:46:46 UTC; 50s ago Docs: man:systemd-journald.service(8) man:journald.conf(5) Process: 247 ExecStart=journalctl --update-catalog (code=exited, status=1/FAILURE) Main PID: 247 (code=exited, status=1/FAILURE) Sep 30 09:46:45 qemux86-64 systemd[1]: Starting Rebuild Journal Catalog... Sep 30 09:46:46 qemux86-64 journalctl[247]: Failed to create parent directories of /var/lib/systemd/catalog/database: Permission denied Sep 30 09:46:46 qemux86-64 journalctl[247]: Failed to write /var/lib/systemd/catalog/database: Permission denied Sep 30 09:46:46 qemux86-64 journalctl[247]: Failed to list catalog: Permission denied Sep 30 09:46:46 qemux86-64 systemd[1]: systemd-journal-catalog-update.service: Main process exited, code=exited, status=1/FAILURE Sep 30 09:46:46 qemux86-64 systemd[1]: systemd-journal-catalog-update.service: Failed with result 'exit-code'. Sep 30 09:46:46 qemux86-64 systemd[1]: Failed to start Rebuild Journal Catalog. Fixes: AVC avc: denied { getattr } for pid=247 comm="journalctl" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_journal_init_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0 AVC avc: denied { write } for pid=247 comm="journalctl" name="systemd" dev="vda" ino=13634 scontext=system_u:system_r:systemd_journal_init_t tcontext=system_u:object_r:init_var_lib_t tclass=dir permissive=0 Signed-off-by: Yi Zhao windriver.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/systemd.te | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 4f1c4c856..c9d21bda5 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -787,9 +787,10 @@ seutil_read_file_contexts(systemd_hw_t) dontaudit systemd_journal_init_t self:capability net_admin; +manage_dirs_pattern(systemd_journal_init_t, systemd_journal_t, systemd_journal_t) manage_files_pattern(systemd_journal_init_t, systemd_journal_t, systemd_journal_t) -fs_getattr_cgroup(systemd_journal_init_t) +fs_getattr_all_fs(systemd_journal_init_t) fs_search_cgroup_dirs(systemd_journal_init_t) kernel_getattr_proc(systemd_journal_init_t) @@ -798,6 +799,7 @@ kernel_read_system_state(systemd_journal_init_t) init_read_state(systemd_journal_init_t) init_search_var_lib_dirs(systemd_journal_init_t) +init_var_lib_filetrans(systemd_journal_init_t, systemd_journal_t, dir) logging_send_syslog_msg(systemd_journal_init_t) logging_stream_connect_journald_varlink(systemd_journal_init_t)