Hi,
ca-certificates, btrfsmaintenance and probably others have conditions
that lead systemd to wanting to watch certain files, eg
PathChanged=/etc/sysconfig/btrfsmaintenance
That leads to
type=AVC msg=audit(1621253570.928:27): avc: denied { watch } for
pid=1 comm="systemd" path="/etc/sysconfig/btrfsmaintenance"
dev="overlay" ino=15638 scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
That case is rather easy as "allow init_t etc_t:file watch;" would be ok
to add to the systemd rules. How is this expected to work in general
though? We patch the policy for systemd or ship individual policy
snippets in packages?
cu
Ludwig
--
(o_ Ludwig Nussel
//\
V_/_ http://www.suse.com/
SUSE Software Solutions Germany GmbH, GF: Felix Imendörffer
HRB 36809 (AG Nürnberg)