With the 569208d534 commit ("Allow systemd services watch dbusd pid directory and its parents"), 5 systemd domains were allowed to watch /run/dbus and all its parents in path, but only 2 of the domains were already allowed to watch the "/run/dbus/system_bus_socket" socket file. This commit adds the socket file watch rule also for the rest of the domains: systemd_machined_t, systemd_networkd_t, systemd_hostnamed_t.
The commit addresses the following AVC denial:
Jan 08 11:52:41 fedora audit[374]: AVC avc: denied { watch } for pid=374 comm="systemd-network" path="/run/dbus/system_bus_socket" dev="tmpfs" ino=143 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
With the 569208d534 commit ("Allow systemd services watch dbusd pid directory and its parents"), 5 systemd domains were allowed to watch /run/dbus and all its parents in path, but only 2 of the domains were already allowed to watch the "/run/dbus/system_bus_socket" socket file. This commit adds the socket file watch rule also for the rest of the domains: systemd_machined_t, systemd_networkd_t, systemd_hostnamed_t.
The commit addresses the following AVC denial: Jan 08 11:52:41 fedora audit[374]: AVC avc: denied { watch } for pid=374 comm="systemd-network" path="/run/dbus/system_bus_socket" dev="tmpfs" ino=143 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
Resolves: https://github.com/fedora-selinux/selinux-policy/issues/1991