From 09c311f57fad214bda4f08dd54bc6a9dd07e506b Mon Sep 17 00:00:00 2001
From: bauen1 <j2468h@gmail.com>
Date: Tue, 21 Apr 2020 19:44:08 +0200
Subject: [PATCH] allow normal users to use 'systemd-run'

It can also be used to create temporary units under `systemd --user`.

Signed-off-by: bauen1 <j2468h@gmail.com>
---
 policy/modules/system/systemd.if | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 8f9c13654..5644f5567 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -24,6 +24,7 @@ template(`systemd_role_template',`
 	gen_require(`
 		attribute systemd_user_session_type, systemd_log_parse_env_type;
 		type systemd_user_runtime_t, systemd_user_runtime_notify_t;
+		type systemd_run_exec_t;
 	')
 
 	#################################
@@ -58,6 +59,8 @@ template(`systemd_role_template',`
 
 	# Allow using file descriptors for user environment generators
 	allow $3 $1_systemd_t:fd use;
+
+	can_exec($3, systemd_run_exec_t)
 ')
 
 ######################################