On Thu, Jan 10, 2019 at 1:37 AM Chris PeBenito <pebenito@xxxxxxxx> wrote: > > On 1/8/19 6:41 AM, Russell Coker wrote: > > This allows systemd-journald to read /run/systemd/units/ link files. > > > > Index: refpolicy-2.20180701/policy/modules/system/logging.te > > =================================================================== > > --- refpolicy-2.20180701.orig/policy/modules/system/logging.te > > +++ refpolicy-2.20180701/policy/modules/system/logging.te > > @@ -547,6 +547,7 @@ ifdef(`init_systemd',` > > init_create_pid_dirs(syslogd_t) > > init_daemon_pid_file(syslogd_var_run_t, dir, "syslogd") > > init_getattr(syslogd_t) > > + init_read_run_links(syslogd_t) > > init_rename_pid_files(syslogd_t) > > init_delete_pid_files(syslogd_t) > > init_dgram_send(syslogd_t) > > Index: refpolicy-2.20180701/policy/modules/system/init.if > > =================================================================== > > --- refpolicy-2.20180701.orig/policy/modules/system/init.if > > +++ refpolicy-2.20180701/policy/modules/system/init.if > > @@ -894,6 +894,26 @@ interface(`init_dgram_send',` > > > > ######################################## > > ## <summary> > > +## read init /run link files > > +## </summary> > > +## <param name="domain"> > > +## <summary> > > +## Domain allowed access. > > +## </summary> > > +## </param> > > +## <rolecap/> > > +# > > +interface(`init_read_run_links',` > > I guess this is a race between patches. Should be named > init_read_pid_symlinks. Same feedback as GitHub PR > https://github.com/SELinuxProject/refpolicy/pull/17 I like "init_read_runtime_symlinks" more than "init_read_pid_symlinks" so I have uploaded my Pull Request. If your prefer the second name, I can change it again. Compared to this patch, my PR does not use files_search_pids() but directly read_lnk_files_pattern() like some other interfaces. I have no strong preferences regarding this. Thanks, Nicolas
