From 6ecba6ff80e121df23a72b776921581767f84119 Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Wed, 15 Mar 2023 22:26:11 +0000 Subject: [PATCH] systemd: also allow to mounton memory.pressure MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Mar 15 22:15:35 localhost audit[1607]: AVC avc:  denied  { mounton } for  pid=1607 comm="(esetinfo)" path="/run/systemd/unit-root/sys/fs/cgroup/system.slice/socresetinfo.service/memory.pressure" dev="cgroup2" ino=2522 scontext=system_u:system_r:init_t tcontext=system_u:object_r:memory_pressure_t tclass=file permissive=1 Signed-off-by: Luca Boccassi --- policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++ policy/modules/system/init.te | 1 + 2 files changed, 19 insertions(+) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index b3b5dfcc4..cbaab2c86 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -1151,6 +1151,24 @@ interface(`fs_mounton_cgroup', ` allow $1 cgroup_types:dir mounton; ') +######################################## +## +## Mount on cgroup files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_mounton_cgroup_files', ` + gen_require(` + attribute cgroup_types; + ') + + allow $1 cgroup_types:file mounton; +') + ######################################## ## ## Create an object in a cgroup tmpfs filesystem, with a private diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 38d0c2538..799d23081 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1179,6 +1179,7 @@ ifdef(`init_systemd',` # to allow receiving notifications when memory pressure is high, see: # https://systemd.io/MEMORY_PRESSURE/ fs_cgroup_filetrans_memory_pressure(init_t, file, "memory.pressure") + fs_mounton_cgroup_files(init_t) optional_policy(` # create /var/lock/lvm/