journald already runs as syslogd_t label the config files similarly to allow editing by domains that can edit syslog configuration files. Also added some missing '\' before dot in filenames. Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx> --- policy/modules/system/logging.fc | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc index c579c2d3..6693d87b 100644 --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc @@ -1,11 +1,13 @@ /dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) -/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) -/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) -/etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0) -/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) -/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) -/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) +/etc/rsyslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) +/etc/syslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) +/etc/rsyslog\.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0) +/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) +/etc/systemd/journal.*\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) +/etc/systemd/journald\.conf\.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0) +/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) /usr/bin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) /usr/bin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) -- 2.20.1
