commit: 9dfb39340ecb9c520110abd96c70388f09851000
Author: Daniel Burgener <Daniel.Burgener <AT> microsoft <DOT> com>
AuthorDate: Fri Dec 11 18:22:42 2020 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 10 21:52:17 2021 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9dfb3934
Allow systemd-ask-password to watch files
On systems that use plymouth, systemd-ask-password may set watches on
the contents on /run/systemd/ask-password, whereas other scenarions only
set watch on the parent directory.
Signed-off-by: Daniel Burgener <Daniel.Burgener <AT> microsoft.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/system/systemd.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 9c210947..2eac4fa5 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1023,7 +1023,7 @@ allow systemd_passwd_agent_t self:capability { chown
sys_tty_config dac_override
allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
-allow systemd_passwd_agent_t systemd_passwd_var_run_t:dir watch;
+allow systemd_passwd_agent_t systemd_passwd_var_run_t:{ dir file } watch;
manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t,
systemd_passwd_runtime_t)
manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t,
systemd_passwd_runtime_t)
manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t,
systemd_passwd_runtime_t)
