diff options
author | Christian Göttsche <cgzones@googlemail.com> | 2024-04-04 22:38:40 +0200 |
---|---|---|
committer | Kenton Groombridge <concord@gentoo.org> | 2024-05-14 13:40:44 -0400 |
commit | b47a50291854cc302c3728258543201a49a12379 (patch) | |
tree | 7b653c6629c0dcefecd0a468860e3625e2aa9797 | |
parent | quote: read localization (diff) | |
download | hardened-refpolicy-b47a50291854cc302c3728258543201a49a12379.tar.gz hardened-refpolicy-b47a50291854cc302c3728258543201a49a12379.tar.bz2 hardened-refpolicy-b47a50291854cc302c3728258543201a49a12379.zip |
systemd: allow notify client to stat socket
Caused by the latest openssh version in Debian sid:
AVC avc: denied { getattr } for pid=13544 comm="sshd" path="/run/systemd/notify" dev="tmpfs" ino=286 scontext=system_u:system_r:sshd_t:s0 tcontext=system_u:object_r:systemd_runtime_notify_t:s0 tclass=sock_file permissive=0
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
-rw-r--r-- | policy/modules/system/systemd.if | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 28f0ad089..4ad1b4484 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -322,7 +322,7 @@ interface(`systemd_write_notify_socket',` init_list_runtime($1) init_unix_stream_socket_sendto($1) - allow $1 systemd_runtime_notify_t:sock_file write; + allow $1 systemd_runtime_notify_t:sock_file write_sock_file_perms; ') ###################################### |