From 3b1d4e715ea9e813402c242fb322ca5221b0e173 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Thu, 2 Mar 2023 18:59:16 +0800
Subject: [PATCH 1/2] systemd: add capability sys_resource to systemd_userdbd_t

Fixes:
avc:  denied  { sys_resource } for  pid=316 comm="(sd-worker)"
capability=24  scontext=system_u:system_r:systemd_userdbd_t
tcontext=system_u:system_r:systemd_userdbd_t tclass=capability
permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/system/systemd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 5da67ea83..a0165b914 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1863,7 +1863,7 @@ seutil_libselinux_linked(systemd_user_session_type)
 # systemd-userdbd local policy
 #
 
-allow systemd_userdbd_t self:capability dac_read_search;
+allow systemd_userdbd_t self:capability { dac_read_search sys_resource };
 allow systemd_userdbd_t self:process signal;
 allow systemd_userdbd_t self:unix_stream_socket create_stream_socket_perms;
 

From 5e6fad9e4c0ae0ba6aca032366ca1d3b0d261fb0 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Thu, 2 Mar 2023 19:02:12 +0800
Subject: [PATCH 2/2] systemd: allow systemd-sysctl to search directories on
 ramfs

Fixes:
avc:  denied  { search } for  pid=170 comm="systemd-sysctl" name="/"
dev="ramfs" ino=14098 scontext=system_u:system_r:systemd_sysctl_t
tcontext=system_u:object_r:ramfs_t tclass=dir permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/system/systemd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index a0165b914..d8cae8c88 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1574,6 +1574,7 @@ files_read_etc_files(systemd_sysctl_t)
 
 fs_getattr_all_fs(systemd_sysctl_t)
 fs_search_cgroup_dirs(systemd_sysctl_t)
+fs_search_ramfs(systemd_sysctl_t)
 
 systemd_log_parse_environment(systemd_sysctl_t)