systemd: systemd-cgroups reads kernel.cap_last_cap sysctl.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
author: Chris PeBenito <Christopher.PeBenito@microsoft.com> 2022-07-07 13:45:12 +0000
committer: Kenton Groombridge <concord@gentoo.org> 2024-03-01 12:05:00 -0500
commit: 9366da629b30718c96c5f5d53b6622c9a52b2f94 (patch)
tree: a5acfaf21c2cc1eb1f71354694ded2799567b389
parent: domain: Manage own fds. (diff)
download: hardened-refpolicy-9366da629b30718c96c5f5d53b6622c9a52b2f94.tar.gz
hardened-refpolicy-9366da629b30718c96c5f5d53b6622c9a52b2f94.tar.bz2
hardened-refpolicy-9366da629b30718c96c5f5d53b6622c9a52b2f94.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index f2399d0a6..ee6a1db1e 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -418,6 +418,9 @@ fs_register_binary_executable_type(systemd_binfmt_t)
 allow systemd_cgroups_t self:capability net_admin;
 
 kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
+# read kernel.cap_last_cap
+kernel_read_kernel_sysctls(systemd_cgroups_t)
+kernel_dontaudit_getattr_proc(systemd_cgroups_t)
 # for /proc/cmdline
 kernel_read_system_state(systemd_cgroups_t)
author	Chris PeBenito <Christopher.PeBenito@microsoft.com>	2022-07-07 13:45:12 +0000
committer	Kenton Groombridge <concord@gentoo.org>	2024-03-01 12:05:00 -0500
commit	9366da629b30718c96c5f5d53b6622c9a52b2f94 (patch)
tree	a5acfaf21c2cc1eb1f71354694ded2799567b389
parent	domain: Manage own fds. (diff)
download	hardened-refpolicy-9366da629b30718c96c5f5d53b6622c9a52b2f94.tar.gz hardened-refpolicy-9366da629b30718c96c5f5d53b6622c9a52b2f94.tar.bz2 hardened-refpolicy-9366da629b30718c96c5f5d53b6622c9a52b2f94.zip