init: allow initrc_t to getcap

Many AVCs are observed on a systemd system and various services. Signed-off-by: Kenton Groombridge <me@concord.sh>
2023-03-06 11:23:23 -05:00 · 2023-03-06 11:23:23 -05:00 · 5ad60847c6
commit 5ad60847c6
parent 9af88f2bf7
1 changed files with 1 additions and 1 deletions
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@ -699,7 +699,7 @@ optional_policy(`
 # Init script local policy
 #

-allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
+allow initrc_t self:process { getcap getpgid setsched setpgid setrlimit getsched };
 allow initrc_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap };
 allow initrc_t self:capability2 { wake_alarm block_suspend };
 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this