From 0ad23ce600fce412a9cb150e08cdb7bea310ca5b Mon Sep 17 00:00:00 2001
From: Eero Kelly <eero.kelly@dfinity.org>
Date: Tue, 25 Jun 2024 21:58:21 +0000
Subject: [PATCH] fix: [NODE-1428] Allow systemd to relabel journal files

---
 ic-os/components/prep/guestos/systemd-fixes/systemd-fixes.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ic-os/components/prep/guestos/systemd-fixes/systemd-fixes.te b/ic-os/components/prep/guestos/systemd-fixes/systemd-fixes.te
index 01c93311bd4..74ce4a9d88b 100644
--- a/ic-os/components/prep/guestos/systemd-fixes/systemd-fixes.te
+++ b/ic-os/components/prep/guestos/systemd-fixes/systemd-fixes.te
@@ -25,6 +25,7 @@ allow syslogd_t syslogd_t : netlink_generic_socket { create ioctl };
 # context.
 require { type var_log_t; }
 filetrans_pattern(syslogd_t, var_t, var_log_t, dir, "log")
+allow systemd_tmpfiles_t var_log_t : file { relabelfrom };
 
 # journald wants to scan the /run/user hierarchy (presumably relating to login sessions)
 require { type user_runtime_root_t, user_runtime_t; }