systemd: allow tmpfiles to handle auditd_log_t

thesamesam · thesamesam · commit 859f6baae04a · 2026-05-24T02:18:23.000+01:00
audit installs a tmpfiles.d file for /var/log/audit [0]: ``` AVC avc: denied { relabelfrom } for pid=1439 comm="systemd-tmpfile" name="audit" dev="dm-0" ino=1246029 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir AVC avc: denied { relabelto } for pid=1439 comm="systemd-tmpfile" name="audit" dev="dm-0" ino=1246029 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir ``` An explicit allow is needed because auditd_log_t is a security_file. [0] linux-audit/audit-userspace@eb3a9a6 Signed-off-by: Sam James <sam@gentoo.org>
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
@@ -2268,6 +2268,14 @@ tunable_policy(`systemd_tmpfiles_manage_all',`
 	files_relabel_non_security_files(systemd_tmpfiles_t)
 ')
 
+optional_policy(`
+	gen_require(`
+		class logging auditd_log_t;
+	')
+
+	allow systemd_tmpfiles_t auditd_log_t:dir { create_dir_perms relabel_dir_perms };
+')
+
 optional_policy(`
 	dbus_manage_lib_files(systemd_tmpfiles_t)
 	dbus_relabel_lib_dirs(systemd_tmpfiles_t)
