systemd-generator: systemd_generator_t load kernel modules used for e.g. zram-generator

Fixes:
avc:  denied  { getsched } for  pid=171 comm="zram-generator" scontext=system_u:system_r:systemd_generator_t tcontext=system_u:system_r:systemd_generator_t tclass=process permissive=1
avc:  denied  { execute } for  pid=173 comm="zram-generator" name="kmod" dev="sda2" ino=17417 scontext=system_u:system_r:systemd_generator_t tcontext=system_u:object_r:kmod_exec_t tclass=file permissive=1

Signed-off-by: Christian Schneider <christian.schneider3@gmx.net>
This commit is contained in:
Christian Schneider 2023-06-23 22:56:08 +02:00
parent c6424be02d
commit 26eb377014
1 changed files with 2 additions and 0 deletions

View File

@ -524,6 +524,8 @@ kernel_dontaudit_getattr_proc(systemd_generator_t)
# Where an unlabeled mountpoint is encounted:
kernel_dontaudit_search_unlabeled(systemd_generator_t)
modutils_domtrans(systemd_generator_t)
# write for systemd-zram-generator
storage_raw_rw_fixed_disk(systemd_generator_t)
storage_raw_read_removable_device(systemd_generator_t)