Skip to content

Commit

Permalink
systemd: systemd-update-done fix startup issue
Browse files Browse the repository at this point in the history 
Seeing error:

Failed to initalize SELinux labeling handle: No such file or directory

but no denials.  With strace (and looking at source) found it is
opening /etc/selinux/config

openat(AT_FDCWD, "/etc/selinux/config", O_RDONLY|O_CLOEXEC) = 3

but that was dontaudited.

allow systemd_update_done_t file_type:filesystem getattr;
allow systemd_update_done_t selinux_config_t:dir { getattr open search };
dontaudit systemd_update_done_t selinux_config_t:dir { getattr open search };
dontaudit systemd_update_done_t selinux_config_t:file { getattr ioctl lock open read };

These changes fix the issue

Signed-off-by: Dave Sugar <[email protected]>
Signed-off-by: Jason Zaman <[email protected]>
  • Loading branch information
@dsugar100 @perfinion
dsugar100 authored and perfinion committed Sep 3, 2022
1 parent d63d915 commit d50193d
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions policy/modules/system/systemd.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1752,6 +1752,7 @@ kernel_read_kernel_sysctls(systemd_update_done_t)

selinux_use_status_page(systemd_update_done_t)

seutil_read_config(systemd_update_done_t)
seutil_read_file_contexts(systemd_update_done_t)

systemd_log_parse_environment(systemd_update_done_t)
Expand Down

0 comments on commit d50193d

Please sign in to comment.