From 20fbb550b749cbf6fe2ebc22004299f412ecbbd6 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Mon, 6 Mar 2023 18:20:57 -0500
Subject: [PATCH] systemd: add rules for systemd-zram-generator

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/systemd.te | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index c398d76b8..40fee715a 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -477,8 +477,8 @@ seutil_search_default_contexts(systemd_coredump_t)
 #
 
 allow systemd_generator_t self:fifo_file rw_fifo_file_perms;
-allow systemd_generator_t self:capability { dac_override sys_admin };
-allow systemd_generator_t self:process { getsched setfscreate signal };
+allow systemd_generator_t self:capability { dac_override sys_admin sys_resource };
+allow systemd_generator_t self:process { getcap getsched setfscreate signal };
 
 corecmd_exec_shell(systemd_generator_t)
 corecmd_exec_bin(systemd_generator_t)
@@ -487,6 +487,8 @@ dev_read_sysfs(systemd_generator_t)
 dev_write_kmsg(systemd_generator_t)
 dev_write_sysfs_dirs(systemd_generator_t)
 dev_read_urand(systemd_generator_t)
+dev_create_sysfs_files(systemd_generator_t)
+dev_write_sysfs(systemd_generator_t)
 
 files_read_etc_files(systemd_generator_t)
 files_read_etc_runtime_files(systemd_generator_t)
@@ -522,7 +524,8 @@ kernel_dontaudit_getattr_proc(systemd_generator_t)
 # Where an unlabeled mountpoint is encounted:
 kernel_dontaudit_search_unlabeled(systemd_generator_t)
 
-storage_raw_read_fixed_disk(systemd_generator_t)
+# write for systemd-zram-generator
+storage_raw_rw_fixed_disk(systemd_generator_t)
 storage_raw_read_removable_device(systemd_generator_t)
 
 # needed to resolve hostnames for NFS mounts