systemd: add rules for systemd-zram-generator

Signed-off-by: Kenton Groombridge <me@concord.sh>
2023-03-06 18:20:57 -05:00 · 2023-03-06 18:20:57 -05:00 · 20fbb550b7
commit 20fbb550b7
parent 716f47dbd5
1 changed files with 6 additions and 3 deletions
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@ -477,8 +477,8 @@ seutil_search_default_contexts(systemd_coredump_t)
 #

 allow systemd_generator_t self:fifo_file rw_fifo_file_perms;
-allow systemd_generator_t self:capability { dac_override sys_admin };
-allow systemd_generator_t self:process { getsched setfscreate signal };
+allow systemd_generator_t self:capability { dac_override sys_admin sys_resource };
+allow systemd_generator_t self:process { getcap getsched setfscreate signal };

 corecmd_exec_shell(systemd_generator_t)
 corecmd_exec_bin(systemd_generator_t)
@ -487,6 +487,8 @@ dev_read_sysfs(systemd_generator_t)
 dev_write_kmsg(systemd_generator_t)
 dev_write_sysfs_dirs(systemd_generator_t)
 dev_read_urand(systemd_generator_t)
+dev_create_sysfs_files(systemd_generator_t)
+dev_write_sysfs(systemd_generator_t)

 files_read_etc_files(systemd_generator_t)
 files_read_etc_runtime_files(systemd_generator_t)
@ -522,7 +524,8 @@ kernel_dontaudit_getattr_proc(systemd_generator_t)
 # Where an unlabeled mountpoint is encounted:
 kernel_dontaudit_search_unlabeled(systemd_generator_t)

-storage_raw_read_fixed_disk(systemd_generator_t)
+# write for systemd-zram-generator
+storage_raw_rw_fixed_disk(systemd_generator_t)
 storage_raw_read_removable_device(systemd_generator_t)

 # needed to resolve hostnames for NFS mounts