From: Jason Zaman <perfinion@xxxxxxxxxx> avc: denied { watch } for pid=7134 comm="gmain" path="/var/log" dev="zfs" ino=7092 scontext=system_u:system_r:accounts _t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=0 avc: denied { watch } for pid=7134 comm="gmain" path="/etc" dev="zfs" ino=1436 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 --- policy/modules/services/accountsd.te | 2 ++ policy/modules/system/logging.if | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te index 9bf5962a..2e13e943 100644 --- a/policy/modules/services/accountsd.te +++ b/policy/modules/services/accountsd.te @@ -40,6 +40,7 @@ dev_read_sysfs(accountsd_t) files_read_mnt_files(accountsd_t) files_read_usr_files(accountsd_t) +files_watch_etc_dirs(accountsd_t) fs_getattr_xattr_fs(accountsd_t) fs_list_inotifyfs(accountsd_t) @@ -54,6 +55,7 @@ miscfiles_read_localization(accountsd_t) logging_list_logs(accountsd_t) logging_send_syslog_msg(accountsd_t) logging_set_loginuid(accountsd_t) +logging_watch_generic_logs_dir(accountsd_t) userdom_read_user_tmp_files(accountsd_t) userdom_read_user_home_content_files(accountsd_t) diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if index 9c7a0dba..b2bba984 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -1224,6 +1224,24 @@ interface(`logging_manage_generic_logs',` manage_files_pattern($1, var_log_t, var_log_t) ') +######################################## +## <summary> +## Watch generic log dirs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`logging_watch_generic_logs_dir',` + gen_require(` + type var_log_t; + ') + + allow $1 var_log_t:dir watch; +') + ######################################## ## <summary> ## All of the rules required to administrate -- 2.24.1