diff options
author | Chris PeBenito <Christopher.PeBenito@microsoft.com> | 2022-07-07 13:45:12 +0000 |
---|---|---|
committer | Kenton Groombridge <concord@gentoo.org> | 2024-03-01 12:05:00 -0500 |
commit | 9366da629b30718c96c5f5d53b6622c9a52b2f94 (patch) | |
tree | a5acfaf21c2cc1eb1f71354694ded2799567b389 | |
parent | domain: Manage own fds. (diff) | |
download | hardened-refpolicy-9366da629b30718c96c5f5d53b6622c9a52b2f94.tar.gz hardened-refpolicy-9366da629b30718c96c5f5d53b6622c9a52b2f94.tar.bz2 hardened-refpolicy-9366da629b30718c96c5f5d53b6622c9a52b2f94.zip |
systemd: systemd-cgroups reads kernel.cap_last_cap sysctl.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
-rw-r--r-- | policy/modules/system/systemd.te | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index f2399d0a6..ee6a1db1e 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -418,6 +418,9 @@ fs_register_binary_executable_type(systemd_binfmt_t) allow systemd_cgroups_t self:capability net_admin; kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t) +# read kernel.cap_last_cap +kernel_read_kernel_sysctls(systemd_cgroups_t) +kernel_dontaudit_getattr_proc(systemd_cgroups_t) # for /proc/cmdline kernel_read_system_state(systemd_cgroups_t) |