This allows systemd-journald to read /run/systemd/units/ link files. Index: refpolicy-2.20180701/policy/modules/system/logging.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/system/logging.te +++ refpolicy-2.20180701/policy/modules/system/logging.te @@ -547,6 +547,7 @@ ifdef(`init_systemd',` init_create_pid_dirs(syslogd_t) init_daemon_pid_file(syslogd_var_run_t, dir, "syslogd") init_getattr(syslogd_t) + init_read_run_links(syslogd_t) init_rename_pid_files(syslogd_t) init_delete_pid_files(syslogd_t) init_dgram_send(syslogd_t) Index: refpolicy-2.20180701/policy/modules/system/init.if =================================================================== --- refpolicy-2.20180701.orig/policy/modules/system/init.if +++ refpolicy-2.20180701/policy/modules/system/init.if @@ -894,6 +894,26 @@ interface(`init_dgram_send',` ######################################## ## <summary> +## read init /run link files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`init_read_run_links',` + gen_require(` + type init_var_run_t; + ') + + files_search_pids($1) + allow $1 init_var_run_t:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> ## Read and write to inherited init unix streams. ## </summary> ## <param name="domain">
