Merge pull request #108 from fishilico/systemd-user-2019-09

policy/modules/system/systemd.te

@@ -1170,7 +1170,7 @@ systemd_log_parse_environment(systemd_update_done_t)
 
 allow systemd_user_session_type self:capability { dac_read_search sys_resource };
 dontaudit systemd_user_session_type self:capability dac_override;
-allow systemd_user_session_type self:process setfscreate;
+allow systemd_user_session_type self:process { setfscreate setsockcreate };
 allow systemd_user_session_type self:udp_socket create_socket_perms;
 allow systemd_user_session_type self:unix_stream_socket create_stream_socket_perms;
 allow systemd_user_session_type self:netlink_kobject_uevent_socket { bind create getattr read setopt };
@@ -1189,15 +1189,22 @@ files_read_etc_files(systemd_user_session_type)
 files_list_usr(systemd_user_session_type)
 
 fs_getattr_cgroup(systemd_user_session_type)
+fs_getattr_tmpfs(systemd_user_session_type)
 fs_rw_cgroup_files(systemd_user_session_type)
 fs_manage_cgroup_dirs(systemd_user_session_type)
 
+# for /run/systemd/notify
+init_dgram_send(systemd_user_session_type)
 init_signal(systemd_user_session_type)
 
+# for /proc/sys/fs/nr_open
+kernel_read_fs_sysctls(systemd_user_session_type)
 kernel_read_kernel_sysctls(systemd_user_session_type)
 
 mount_list_runtime(systemd_user_session_type)
 
+selinux_compute_create_context(systemd_user_session_type)
+
 storage_getattr_fixed_disk_dev(systemd_user_session_type)
 
 # for systemd to read udev status