Skip to content

Commit

Permalink
Allow systemd-journald to be started with NoNewPrivileges=yes
Browse files Browse the repository at this point in the history 
Starting with systemd commit cd10ab613b2198, many services including
systemd-journald are started with NoNewPrivileges=yes, but that breaks
unless the SELinux policy allows for it.

It turns out this wasn't yet allowed for systemd-journald, which runs
under the syslogd_t SELinux type.

Fix that by calling init_nnp_daemon_domain(syslogd_t).

Tested by rebuilding selinux-policy on Rawhide and booting the system
with systemd from master and SELinux enabled.
  • Loading branch information
@filbranden @wrabcak
filbranden authored and wrabcak committed Dec 16, 2018
1 parent 4f84ae0 commit 85649d0
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions policy/modules/system/logging.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,7 @@ files_config_file(syslog_conf_t)
type syslogd_t;
type syslogd_exec_t;
init_daemon_domain(syslogd_t, syslogd_exec_t)
init_nnp_daemon_domain(syslogd_t)
mls_trusted_object(syslogd_t)

type syslogd_initrc_exec_t;
Expand Down

0 comments on commit 85649d0

Please sign in to comment.