systemd: also allow to mounton memory.pressure

Mar 15 22:15:35 localhost audit[1607]: AVC avc:  denied  { mounton } for  pid=1607 comm="(esetinfo)" path="/run/systemd/unit-root/sys/fs/cgroup/system.slice/socresetinfo.service/memory.pressure" dev="cgroup2" ino=2522 scontext=system_u:system_r:init_t tcontext=system_u:object_r:memory_pressure_t tclass=file permissive=1

Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
This commit is contained in:
Luca Boccassi 2023-03-15 22:26:11 +00:00
parent 6dd2c3bcd1
commit 6ecba6ff80
2 changed files with 19 additions and 0 deletions

View File

@ -1151,6 +1151,24 @@ interface(`fs_mounton_cgroup', `
allow $1 cgroup_types:dir mounton;
')
########################################
## <summary>
## Mount on cgroup files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_mounton_cgroup_files', `
gen_require(`
attribute cgroup_types;
')
allow $1 cgroup_types:file mounton;
')
########################################
## <summary>
## Create an object in a cgroup tmpfs filesystem, with a private

View File

@ -1179,6 +1179,7 @@ ifdef(`init_systemd',`
# to allow receiving notifications when memory pressure is high, see:
# https://systemd.io/MEMORY_PRESSURE/
fs_cgroup_filetrans_memory_pressure(init_t, file, "memory.pressure")
fs_mounton_cgroup_files(init_t)
optional_policy(`
# create /var/lock/lvm/