systemd: also allow to mounton memory.pressure
Mar 15 22:15:35 localhost audit[1607]: AVC avc: denied { mounton } for pid=1607 comm="(esetinfo)" path="/run/systemd/unit-root/sys/fs/cgroup/system.slice/socresetinfo.service/memory.pressure" dev="cgroup2" ino=2522 scontext=system_u:system_r:init_t tcontext=system_u:object_r:memory_pressure_t tclass=file permissive=1 Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
This commit is contained in:
parent
6dd2c3bcd1
commit
6ecba6ff80
@ -1151,6 +1151,24 @@ interface(`fs_mounton_cgroup', `
|
||||
allow $1 cgroup_types:dir mounton;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Mount on cgroup files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_mounton_cgroup_files', `
|
||||
gen_require(`
|
||||
attribute cgroup_types;
|
||||
')
|
||||
|
||||
allow $1 cgroup_types:file mounton;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create an object in a cgroup tmpfs filesystem, with a private
|
||||
|
@ -1179,6 +1179,7 @@ ifdef(`init_systemd',`
|
||||
# to allow receiving notifications when memory pressure is high, see:
|
||||
# https://systemd.io/MEMORY_PRESSURE/
|
||||
fs_cgroup_filetrans_memory_pressure(init_t, file, "memory.pressure")
|
||||
fs_mounton_cgroup_files(init_t)
|
||||
|
||||
optional_policy(`
|
||||
# create /var/lock/lvm/
|
||||
|
Loading…
Reference in New Issue
Block a user