Allow daemons and system processes started by init to read/write the unix_stream_sock...

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 2409206f678d2d31cadb106f3dfb62fb598d3326..ef5a3c8c22b0439a52fd41c1b2bc38277123409f 100644 (file)
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -110,10 +110,10 @@ interface(`init_systemd_domain',`
         domtrans_pattern(init_t,$2,$1)
         allow init_t $1:unix_stream_socket create_stream_socket_perms;
         allow init_t $1:unix_dgram_socket create_socket_perms;
-               allow $1 init_t:unix_stream_socket ioctl;
+       allow $1 init_t:unix_stream_socket ioctl;
         allow $1 init_t:unix_dgram_socket sendto;
-               # need write to /var/run/systemd/notify
-               init_write_pid_socket($1)
+       # need write to /var/run/systemd/notify
+       init_write_pid_socket($1)
     ')
 ')
 

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 5ee6a57658bb95b249a2482cf426e250039828a2..4e87d4961d51c5a74f9306999cce9f2d9a967fd9 100644 (file)
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1301,7 +1301,7 @@ tunable_policy(`init_systemd',`
        allow daemon init_t:unix_dgram_socket sendto;
        # need write to /var/run/systemd/notify
        init_write_pid_socket(daemon)
-       dontaudit daemon init_t:unix_stream_socket { read ioctl getattr };
+       allow daemon init_t:unix_stream_socket { append write read getattr ioctl };
 ')
 
 # daemons started from init will
@@ -1347,7 +1347,7 @@ tunable_policy(`init_systemd',`
        allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
        allow init_t systemprocess:unix_dgram_socket create_socket_perms;
        allow systemprocess init_t:unix_dgram_socket sendto;
-       dontaudit systemprocess init_t:unix_stream_socket { read getattr ioctl };
+       allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl };
 ')
 
 ifdef(`hide_broken_symptoms',`