systemd: systemd-cgroups reads kernel.cap_last_cap sysctl.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2022-07-07 13:45:12 +00:00 · 2022-07-07 13:45:12 +00:00 · d1ec6f1b9f
commit d1ec6f1b9f
parent 56e33b7e42
1 changed files with 3 additions and 0 deletions
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@ -414,6 +414,9 @@ fs_register_binary_executable_type(systemd_binfmt_t)
 allow systemd_cgroups_t self:capability net_admin;

 kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
+# read kernel.cap_last_cap
+kernel_read_kernel_sysctls(systemd_cgroups_t)
+kernel_dontaudit_getattr_proc(systemd_cgroups_t)
 # for /proc/cmdline
 kernel_read_system_state(systemd_cgroups_t)