Systemd has ConditionPath.*, ConditionFile.* and ConditionDir* which are used to check various path/file/directory to control starting a service. But this requires getattr permissions on the types. Example denials that fit the problem. The first example is from lvm where accessing config file. type=AVC msg=audit(1575427946.229:1624): avc: denied { getattr } for pid=1 comm="systemd" path="/etc/lvm/lvm.conf" dev="dm-0" ino=51799 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:lvm_etc_t:s0 tclass=file permissive=0 This second example is from chronyd, but it is happening becuase I added the conditional in a drop-in file. type=AVC msg=audit(1575427959.882:1901): avc: denied { getattr } for pid=1 comm="systemd" path="/etc/chrony.conf" dev="dm-0" ino=53824 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:chronyd_conf_t:s0 tclass=file permissive=1 v3 - rework to not use interface and allow getattr for all files Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx> --- policy/modules/system/init.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 281d4fd2..c772ff40 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -335,6 +335,11 @@ ifdef(`init_systemd',` domain_subj_id_change_exemption(init_t) domain_role_change_exemption(init_t) + files_getattr_all_dirs(init_t) + files_getattr_all_files(init_t) + files_getattr_all_pipes(init_t) + files_getattr_all_sockets(init_t) + files_read_all_symlinks(init_t) files_read_all_pids(init_t) files_list_usr(init_t) files_list_var(init_t) -- 2.24.1