filesystem/systemd: memory.pressure fixes.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>

policy/modules/kernel/filesystem.fc

@@ -14,14 +14,15 @@
 /sys/fs/bpf(/.*)?	<<none>>
 
 /sys/fs/cgroup	-d	gen_context(system_u:object_r:cgroup_t,s0)
-/sys/fs/cgroup/.*	<<none>>
-/sys/fs/cgroup/[^/]+	-l	gen_context(system_u:object_r:cgroup_t,s0)
+/sys/fs/cgroup/.*	gen_context(system_u:object_r:cgroup_t,s0)
 
 /sys/fs/pstore	-d	gen_context(system_u:object_r:pstore_t,s0)
 /sys/fs/pstore/.*	<<none>>
 
 /sys/kernel/tracing(/.*)?	<<none>>
 
+/sys/fs/cgroup/.*/memory\.pressure -- gen_context(system_u:object_r:memory_pressure_t,s0)
+
 ifdef(`distro_debian',`
 /run/shm		-d	gen_context(system_u:object_r:tmpfs_t,s0)
 /run/shm/.*			<<none>>

policy/modules/kernel/filesystem.te

@@ -95,6 +95,7 @@ files_mountpoint(cgroup_t)
 dev_associate_sysfs(cgroup_t)
 genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
 genfscon cgroup2 / gen_context(system_u:object_r:cgroup_t,s0)
+allow cgroup_types cgroup_t:filesystem associate;
 # When running under systemd, the cgroup file memory.pressure will have this
 # separate label, to allow unprivileged process to access it without accessing
 # the rest of the cgroup tree.

policy/modules/system/systemd.te

@@ -658,6 +658,7 @@ files_search_tmp(systemd_homed_t)
 
 fs_get_xattr_fs_quotas(systemd_homed_t)
 fs_getattr_all_fs(systemd_homed_t)
+fs_watch_memory_pressure(systemd_homed_t)
 
 kernel_read_kernel_sysctls(systemd_homed_t)
 kernel_read_system_state(systemd_homed_t)
@@ -2066,6 +2067,7 @@ files_read_usr_files(systemd_userdbd_t)
 fs_getattr_all_fs(systemd_userdbd_t)
 fs_search_cgroup_dirs(systemd_userdbd_t)
 fs_read_efivarfs_files(systemd_userdbd_t)
+fs_watch_memory_pressure(systemd_userdbd_t)
 
 kernel_read_system_state(systemd_userdbd_t)