Chris PeBenito <pebenito@xxxxxxxx> writes: > On 1/17/20 6:15 PM, Henrik Grindal Bakken wrote: >> From: Henrik Grindal Bakken <henribak@xxxxxxxxx> >> >> This is the same behavious as files_*_non_auth_types have. [...] > NAK. Access per object class is already split up across separate > interfaces, so doing this would be confusing and prevent someone from > getting file-only access. Ok. Then I would recomment rewriting the systemd_tmpfiles_t rules a bit, because today it has a serious amount of AVC violations for pretty standard usage. There are no matching interfaces for lnk_files, at least. Any suggestions as to how to set up the tmpfiles rules? A new interface like this: interface(`manage_non_security_somethingsomething',` gen_require(` attribute non_security_file_type; ') manage_dirs_pattern($1, non_security_file_type, non_security_file_type) manage_files_pattern($1, non_security_file_type, non_security_file_type) manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type) manage_fifo_files_pattern($1, non_security_file_type, non_security_file_type) manage_sock_files_pattern($1, non_security_file_type, non_security_file_type) ') or interface(`manage_stuff',` manage_dirs_pattern($1, $2, $2) manage_files_pattern($1, $2, $2) manage_lnk_files_pattern($1, $2, $2) manage_fifo_files_pattern($1, $2, $2) manage_sock_files_pattern($1, $2, $2) ') or call the manage_*_pattern() stuff directly from systemd.te? (I guess one should add stuff for chr_file, etc) -- Henrik Grindal Bakken <hgb@xxxxxxxxxx> PGP ID: 8D436E52 Fingerprint: 131D 9590 F0CF 47EF 7963 02AF 9236 D25A 8D43 6E52