On 10/2/19 6:15 PM, Ian Pilcher wrote:
type=AVC msg=audit(1570051321.409:1773): avc: denied { getattr } for
pid=3682 comm="sudo" path="/usr/bin/systemctl" dev="dm-0" ino=12586503
scontext=system_u:system_r:denatc_sudo_t:s0
tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
permissive=0
I would have expected this to be simple. Add the following to my
policy:
require {
type systemctl_exec_t;
}
allow denatc_sudo_t systemctl_exec_t:file { getattr };
And it is simple ... if one uses the correct type:
systemd_systemctl_exec_t
Sorry for the noise!
--
========================================================================
Ian Pilcher arequipeno@xxxxxxxxx
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
