commit: 716e9b6d402bdb400679019d455f2da5a69e33d5 Author: Rahul Sandhu <rahul <AT> sandhuservices <DOT> dev> AuthorDate: Thu Nov 28 01:49:27 2024 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Sun Dec 15 00:19:19 2024 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=716e9b6d
systemd_homed_t, systemd_homework_t: allow reading of /etc/machine-id systemd-homed user records stored in identity files are machine-id specific and signed, so systemd-homed needs access to /etc/machine-id to create those records properly. Signed-off-by: Rahul Sandhu <rahul <AT> sandhuservices.dev> Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> policy/modules/system/systemd.te | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 309f99ae4..dca7f098d 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -679,6 +679,9 @@ allow systemd_homed_t systemd_homed_var_lib_t:dir manage_dir_perms; allow systemd_homed_t systemd_homed_var_lib_t:file manage_file_perms; init_var_lib_filetrans(systemd_homed_t, systemd_homed_var_lib_t, dir) +# read /etc/machine-id +files_read_etc_runtime(systemd_homed_t) + # Entries such as /sys/devices/virtual/block/loop1/uevent: dev_read_sysfs(systemd_homed_t) @@ -729,6 +732,9 @@ allow systemd_homework_t systemd_homed_runtime_t:dir manage_dir_perms; files_runtime_filetrans(systemd_homework_t, systemd_homed_runtime_t, file) init_runtime_filetrans(systemd_homework_t, systemd_homed_runtime_t, dir) +# read /etc/machine-id +files_read_etc_runtime(systemd_homework_t) + # mount on /run/systemd/user-home-mount allow systemd_homework_t systemd_homed_runtime_t:dir mounton;
