systemd: allow tmpfiles to handle auditd_log_t

thesamesam · thesamesam · commit 7d1dc1f06221 · 2026-06-01T20:28:59.000+01:00
audit installs a tmpfiles.d file for /var/log/audit [0]: ``` AVC avc: denied { relabelfrom } for pid=1439 comm="systemd-tmpfile" name="audit" dev="dm-0" ino=1246029 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir AVC avc: denied { relabelto } for pid=1439 comm="systemd-tmpfile" name="audit" dev="dm-0" ino=1246029 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir ``` An explicit allow is needed because auditd_log_t is a security_file. [0] linux-audit/audit-userspace@eb3a9a6 Signed-off-by: Sam James <sam@gentoo.org>
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
@@ -1458,6 +1458,42 @@ interface(`logging_admin',`
 	logging_admin_syslog($1, $2)
 ')
 
+#######################################
+## <summary>
+##      Allow creating auditd_log_t directories.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`logging_create_audit_log_dirs',`
+	gen_require(`
+		type auditd_log_t;
+	')
+
+	allow $1 auditd_log_t:dir create_dir_perms;
+')
+
+#######################################
+## <summary>
+##      Allow relabeling auditd_log_t directories.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`logging_relabel_audit_log_dirs',`
+	gen_require(`
+		type auditd_log_t;
+	')
+
+	allow $1 auditd_log_t:dir relabel_dir_perms;
+')
+
 #######################################
 ## <summary>
 ##	Map files in /run/log/journal/ directory.
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
@@ -2242,6 +2242,8 @@ kernel_relabelfrom_unlabeled_sockets(systemd_tmpfiles_t)
 kernel_relabelfrom_unlabeled_blk_devs(systemd_tmpfiles_t)
 kernel_relabelfrom_unlabeled_chr_devs(systemd_tmpfiles_t)
 
+logging_create_audit_log_dirs(systemd_tmpfiles_t)
+logging_relabel_audit_log_dirs(systemd_tmpfiles_t)
 logging_relabel_generic_log_dirs(systemd_tmpfiles_t)
 logging_relabel_syslogd_tmp_files(systemd_tmpfiles_t)
 logging_relabel_syslogd_tmp_dirs(systemd_tmpfiles_t)
