commit: 8cdb1e582a7c164d6a0f6b39aa3f819eb8d5fc1b
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Mon Mar 6 23:20:57 2023 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 31 17:11:32 2023 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8cdb1e58
systemd: add rules for systemd-zram-generator
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/system/systemd.te | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 59a3fcfc5..030dcbd67 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -481,8 +481,8 @@ seutil_search_default_contexts(systemd_coredump_t)
#
allow systemd_generator_t self:fifo_file rw_fifo_file_perms;
-allow systemd_generator_t self:capability { dac_override sys_admin };
-allow systemd_generator_t self:process { getsched setfscreate signal };
+allow systemd_generator_t self:capability { dac_override sys_admin
sys_resource };
+allow systemd_generator_t self:process { getcap getsched setfscreate signal };
corecmd_exec_shell(systemd_generator_t)
corecmd_exec_bin(systemd_generator_t)
@@ -491,6 +491,8 @@ dev_read_sysfs(systemd_generator_t)
dev_write_kmsg(systemd_generator_t)
dev_write_sysfs_dirs(systemd_generator_t)
dev_read_urand(systemd_generator_t)
+dev_create_sysfs_files(systemd_generator_t)
+dev_write_sysfs(systemd_generator_t)
files_read_etc_files(systemd_generator_t)
files_read_etc_runtime_files(systemd_generator_t)
@@ -526,7 +528,8 @@ kernel_dontaudit_getattr_proc(systemd_generator_t)
# Where an unlabeled mountpoint is encounted:
kernel_dontaudit_search_unlabeled(systemd_generator_t)
-storage_raw_read_fixed_disk(systemd_generator_t)
+# write for systemd-zram-generator
+storage_raw_rw_fixed_disk(systemd_generator_t)
storage_raw_read_removable_device(systemd_generator_t)
# needed to resolve hostnames for NFS mounts
