From e1f91cd0e0af2cd3e1070067c3d3493aef67483c Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Fri, 18 Nov 2011 10:00:23 -0500 Subject: [PATCH] Allow daemons and system processes started by init to read/write the unix_stream_socket passed in from as stdin/stdout/stderr --- policy/modules/system/init.if | 6 +++--- policy/modules/system/init.te | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 2409206f..ef5a3c8c 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -110,10 +110,10 @@ interface(`init_systemd_domain',` domtrans_pattern(init_t,$2,$1) allow init_t $1:unix_stream_socket create_stream_socket_perms; allow init_t $1:unix_dgram_socket create_socket_perms; - allow $1 init_t:unix_stream_socket ioctl; + allow $1 init_t:unix_stream_socket ioctl; allow $1 init_t:unix_dgram_socket sendto; - # need write to /var/run/systemd/notify - init_write_pid_socket($1) + # need write to /var/run/systemd/notify + init_write_pid_socket($1) ') ') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 5ee6a576..4e87d496 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1301,7 +1301,7 @@ tunable_policy(`init_systemd',` allow daemon init_t:unix_dgram_socket sendto; # need write to /var/run/systemd/notify init_write_pid_socket(daemon) - dontaudit daemon init_t:unix_stream_socket { read ioctl getattr }; + allow daemon init_t:unix_stream_socket { append write read getattr ioctl }; ') # daemons started from init will @@ -1347,7 +1347,7 @@ tunable_policy(`init_systemd',` allow init_t systemprocess:unix_stream_socket create_stream_socket_perms; allow init_t systemprocess:unix_dgram_socket create_socket_perms; allow systemprocess init_t:unix_dgram_socket sendto; - dontaudit systemprocess init_t:unix_stream_socket { read getattr ioctl }; + allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl }; ') ifdef(`hide_broken_symptoms',` -- 2.47.3