init: allow initrc_t to getcap

Many AVCs are observed on a systemd system and various services.

Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
Kenton Groombridge 2023-03-06 11:23:23 -05:00
parent 9af88f2bf7
commit 5ad60847c6

View File

@ -699,7 +699,7 @@ optional_policy(`
# Init script local policy
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
allow initrc_t self:process { getcap getpgid setsched setpgid setrlimit getsched };
allow initrc_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap };
allow initrc_t self:capability2 { wake_alarm block_suspend };
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this