Dontaudit systemd-logind remove all files

When a user login session ends, "systemd-user-runtime-dir stop" is executed as an ExecStop action of the [email protected]. The command tries to delete the content of /run/user/UID, containing user data with possibly any SELinux type, using an equivalent of the "rm -rf" command. This is more like a safety action because the /run/user/UID directory is a tmpfs mount and is unmounted afterwards anyway, therefore the systemd_logind_t domain does not actually need the access to read directories and unlink files of all types, so the permissions are dontaudited instead. Resolves: RHEL-59145
fedora-selinux · Jan 31, 2025 · 5aaa24e · 5aaa24e
1 parent 4677e75
commit 5aaa24e
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
@@ -305,6 +305,8 @@ mls_dbus_send_all_levels(systemd_logind_t)
 
 files_delete_tmpfs_files(systemd_logind_t)
 fs_delete_tmpfs_dirs(systemd_logind_t)
+files_dontaudit_delete_all_files(systemd_logind_t)
+files_dontaudit_read_all_dirs(systemd_logind_t)
 
 fs_mount_tmpfs(systemd_logind_t)
 fs_unmount_tmpfs(systemd_logind_t)