From 0ff1f78619327e8a81c5ae13071fb3a2a50f3ef5 Mon Sep 17 00:00:00 2001
From: bauen1 <j2468h@gmail.com>
Date: Sat, 9 May 2020 09:38:05 +0200
Subject: [PATCH] systemd: allow regular users to run systemd-analyze

Same deal as with systemd-run this is potentially useful for non
privileged users and especially useful for admins.

Signed-off-by: bauen1 <j2468h@gmail.com>
---
 policy/modules/system/systemd.if | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 5644f5567..43dec0375 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -24,7 +24,7 @@ template(`systemd_role_template',`
 	gen_require(`
 		attribute systemd_user_session_type, systemd_log_parse_env_type;
 		type systemd_user_runtime_t, systemd_user_runtime_notify_t;
-		type systemd_run_exec_t;
+		type systemd_run_exec_t, systemd_analyze_exec_t;
 	')
 
 	#################################
@@ -60,7 +60,7 @@ template(`systemd_role_template',`
 	# Allow using file descriptors for user environment generators
 	allow $3 $1_systemd_t:fd use;
 
-	can_exec($3, systemd_run_exec_t)
+	can_exec($3, { systemd_run_exec_t systemd_analyze_exec_t })
 ')
 
 ######################################