commit: 5aa9a2bef4cc2428c7d31dd892ad9f6d8b85c85e
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Thu Oct 3 16:22:17 2019 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Dec 16 13:13:11 2019 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5aa9a2be
Allow the systemd dbus-daemon to talk to systemd
Recent versions of dbus are started as Type=notify
type=AVC msg=audit(03/10/19 15:32:40.347:64) : avc: denied { write } for
pid=809 comm=dbus-daemon name=notify dev="tmpfs" ino=1751
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:init_runtime_t:s0 tclass=sock_file permissive=1
Signed-off-by: Laurent Bigonville <bigon <AT> bigon.be>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/dbus.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 3c422dd8..1d7123ba 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -165,6 +165,9 @@ ifdef(`init_systemd', `
# for /run/systemd/dynamic-uid/
init_list_pids(system_dbusd_t)
init_read_runtime_symlinks(system_dbusd_t)
+
+ # Recent versions of dbus are started as Type=notify
+ init_write_runtime_socket(system_dbusd_t)
')
optional_policy(`
