From: Jason Zaman <perfinion@xxxxxxxxxx>
avc: denied { watch } for pid=7134 comm="gmain" path="/var/log" dev="zfs" ino=7092 scontext=system_u:system_r:accounts _t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=7134 comm="gmain" path="/etc" dev="zfs" ino=1436 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
---
policy/modules/services/accountsd.te | 2 ++
policy/modules/system/logging.if | 18 ++++++++++++++++++
2 files changed, 20 insertions(+)
diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
index 9bf5962a..2e13e943 100644
--- a/policy/modules/services/accountsd.te
+++ b/policy/modules/services/accountsd.te
@@ -40,6 +40,7 @@ dev_read_sysfs(accountsd_t)
files_read_mnt_files(accountsd_t)
files_read_usr_files(accountsd_t)
+files_watch_etc_dirs(accountsd_t)
fs_getattr_xattr_fs(accountsd_t)
fs_list_inotifyfs(accountsd_t)
@@ -54,6 +55,7 @@ miscfiles_read_localization(accountsd_t)
logging_list_logs(accountsd_t)
logging_send_syslog_msg(accountsd_t)
logging_set_loginuid(accountsd_t)
+logging_watch_generic_logs_dir(accountsd_t)
userdom_read_user_tmp_files(accountsd_t)
userdom_read_user_home_content_files(accountsd_t)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 9c7a0dba..b2bba984 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -1224,6 +1224,24 @@ interface(`logging_manage_generic_logs',`
manage_files_pattern($1, var_log_t, var_log_t)
')
+########################################
+## <summary>
+## Watch generic log dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_watch_generic_logs_dir',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ allow $1 var_log_t:dir watch;
+')
+
########################################
## <summary>
## All of the rules required to administrate
--
2.24.1
