type=AVC msg=audit(1554983723.772:784): avc: denied { create } for pid=8123 comm="plymouthd" scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:system_r:plymouthd_t:s0 tclass=netlink_kobject_uevent_socket permissive=0
type=AVC msg=audit(1555070131.882:1648): avc: denied { getattr } for pid=8634 comm="plymouthd" path="/run/udev/data/c226:0" dev="tmpfs" ino=29946 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1555070131.903:1652): avc: denied { open } for pid=8634 comm="plymouthd" path="/run/udev/data/+drm:card0-DP-1" dev="tmpfs" ino=31856 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1555070131.903:1652): avc: denied { read } for pid=8634 comm="plymouthd" name="+drm:card0-DP-1" dev="tmpfs" ino=31856 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx>
---
policy/modules/services/plymouthd.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te
index 835ee035..6352375d 100644
--- a/policy/modules/services/plymouthd.te
+++ b/policy/modules/services/plymouthd.te
@@ -38,6 +38,7 @@ dontaudit plymouthd_t self:capability dac_override;
allow plymouthd_t self:capability2 block_suspend;
allow plymouthd_t self:process { signal getsched };
allow plymouthd_t self:fifo_file rw_fifo_file_perms;
+dontaudit plymouthd_t self:netlink_kobject_uevent_socket create;
allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
@@ -87,6 +88,10 @@ optional_policy(`
gnome_read_generic_home_content(plymouthd_t)
')
+optional_policy(`
+ udev_dontaudit_rw_pid_files(plymouthd_t)
+')
+
optional_policy(`
sssd_stream_connect(plymouthd_t)
')
--
2.20.1
