commit: b92a94a5433397a83d36847cbd4b8ce677e1e607
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sat Nov 13 21:17:53 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 31 02:40:53 2022 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b92a94a5
systemd: add support for systemd-resolved stubs
When using systemd-resolved, the recommended configuration is to symlink
/etc/resolv.conf to one of the stub files in /run/systemd/resolve. To
support this, daemons that can read net_conf_t must be able to search
the init runtime and read etc_t symlinks. Allow this access if systemd
is enabled.
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/system/systemd.if | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index e68a9b44..fc000ef9 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -2164,6 +2164,10 @@ interface(`systemd_read_resolved_runtime',`
type systemd_resolved_runtime_t;
')
+ # to read the systemd-resolved stub
+ files_read_etc_symlinks($1)
+
+ init_search_runtime($1)
read_files_pattern($1, systemd_resolved_runtime_t,
systemd_resolved_runtime_t)
')
