commit: beb9a141a7b43b6583e2191c395b60454abc4eb5
Author: Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Sat Jul 26 02:45:40 2025 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Sep 2 22:01:01 2025 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=beb9a141
systemd: allow users to run systemd-cgtop
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/system/systemd.if | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 8dc8f5899..467c7b70b 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -26,7 +26,7 @@ template(`systemd_role_template',`
class system { disable enable reload start status stop };
attribute systemd_user_session_type, systemd_log_parse_env_type;
attribute systemd_user_activated_sock_file_type,
systemd_user_unix_stream_activated_socket_type;
- type systemd_analyze_exec_t;
+ type systemd_analyze_exec_t, systemd_cgtop_exec_t;
type systemd_conf_home_t, systemd_data_home_t;
type systemd_tmpfiles_exec_t;
type systemd_user_runtime_t, systemd_user_runtime_notify_t;
@@ -197,6 +197,7 @@ template(`systemd_role_template',`
allow $3 systemd_conf_home_t:service { reload start status stop };
can_exec($3, systemd_analyze_exec_t)
+ can_exec($3, systemd_cgtop_exec_t)
init_dbus_chat($3)
init_search_var_lib_dirs($3)
