diff --git a/policy/modules/services/cockpit.if b/policy/modules/services/cockpit.if index 7a002b3e5b..4c452484ca 100644 --- a/policy/modules/services/cockpit.if +++ b/policy/modules/services/cockpit.if @@ -64,9 +64,10 @@ template(`cockpit_role_template',` cockpit_use_ws_fds($2) cockpit_rw_ws_stream_sockets($2) - init_watch_runtime_dirs($2) init_watch_utmp($2) + systemd_watch_logind_runtime_dirs($2) + userdom_dontaudit_execute_user_tmpfs_files($2) ') diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc index 01794c5f0c..fb14f63730 100644 --- a/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc @@ -105,6 +105,7 @@ HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_data /run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_runtime_t,s0) /run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_sessions_runtime_t,s0) /run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessions_runtime_t,s0) +/run/systemd/shutdown(/.*)? gen_context(system_u:object_r:systemd_logind_runtime_t,s0) /run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_runtime_t,s0) /run/systemd/userdb(/.*)? gen_context(system_u:object_r:systemd_userdbd_runtime_t,s0) /run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_inhibit_runtime_t,s0) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 1271fd1e87..f7c2245d22 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -901,11 +901,13 @@ dev_setattr_video_dev(systemd_logind_t) domain_obj_id_change_exemption(systemd_logind_t) +files_check_write_runtime_dirs(systemd_logind_t) files_read_etc_runtime_files(systemd_logind_t) files_search_runtime(systemd_logind_t) # Getattr all shm segments as part of cleaning up the # segments of deleted ephemeral users. files_getattr_all_tmpfs_files(systemd_logind_t) +files_rw_runtime_dirs(systemd_logind_t) fs_getattr_cgroup(systemd_logind_t) fs_getattr_tmpfs(systemd_logind_t)