Merge pull request #1136 from thesamesam/systemd-tmpfiles

pebenito · web-flow · commit ba84c15f99b3 · 2026-06-01T16:03:16.000-04:00
systemd: tmpfiles fixes
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
@@ -1458,6 +1458,42 @@ interface(`logging_admin',`
 	logging_admin_syslog($1, $2)
 ')
 
+#######################################
+## <summary>
+##      Allow creating auditd_log_t directories.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`logging_create_audit_log_dirs',`
+	gen_require(`
+		type auditd_log_t;
+	')
+
+	allow $1 auditd_log_t:dir create_dir_perms;
+')
+
+#######################################
+## <summary>
+##      Allow relabeling auditd_log_t directories.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`logging_relabel_audit_log_dirs',`
+	gen_require(`
+		type auditd_log_t;
+	')
+
+	allow $1 auditd_log_t:dir relabel_dir_perms;
+')
+
 #######################################
 ## <summary>
 ##	Map files in /run/log/journal/ directory.
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
@@ -2131,8 +2131,8 @@ optional_policy(`
 # Tmpfiles local policy
 #
 
-allow systemd_tmpfiles_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin sys_admin };
-allow systemd_tmpfiles_t self:process { getcap setfscreate };
+allow systemd_tmpfiles_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin sys_admin sys_resource };
+allow systemd_tmpfiles_t self:process { getcap setfscreate setrlimit };
 
 allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { manage_dir_perms relabel_dir_perms };
 allow systemd_tmpfiles_t systemd_coredump_var_lib_t:file manage_file_perms;
@@ -2234,6 +2234,16 @@ init_relabel_utmp(systemd_tmpfiles_t)
 init_relabel_var_lib_dirs(systemd_tmpfiles_t)
 init_read_runtime_files(systemd_tmpfiles_t)
 
+kernel_relabelfrom_unlabeled_dirs(systemd_tmpfiles_t)
+kernel_relabelfrom_unlabeled_files(systemd_tmpfiles_t)
+kernel_relabelfrom_unlabeled_symlinks(systemd_tmpfiles_t)
+kernel_relabelfrom_unlabeled_pipes(systemd_tmpfiles_t)
+kernel_relabelfrom_unlabeled_sockets(systemd_tmpfiles_t)
+kernel_relabelfrom_unlabeled_blk_devs(systemd_tmpfiles_t)
+kernel_relabelfrom_unlabeled_chr_devs(systemd_tmpfiles_t)
+
+logging_create_audit_log_dirs(systemd_tmpfiles_t)
+logging_relabel_audit_log_dirs(systemd_tmpfiles_t)
 logging_relabel_generic_log_dirs(systemd_tmpfiles_t)
 logging_relabel_syslogd_tmp_files(systemd_tmpfiles_t)
 logging_relabel_syslogd_tmp_dirs(systemd_tmpfiles_t)
