File 1236535-basic_daemon_functionality.diff of Package selinux-policy

commit 57f6ed3e1c0387c3f2cb82154f57a9dd73dc7b2e
Author: Robert Frohl <rfrohl@suse.com>
Date:   Mon May 12 14:38:52 2025 +0200

    Basic functionality for systemd-oomd
    
    domain_read_all_domains_state(systemd_oomd_t):
    type=AVC msg=audit(..): avc:  denied  { search } for  pid=1368 comm="systemd-oomd" name="24509" dev="proc" ino=80823 scontext=system_u:system_r:systemd_oomd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir permissive=1
    type=AVC msg=audit(..): avc:  denied  { read } for  pid=1368 comm="systemd-oomd" name="stat" dev="proc" ino=80824 scontext=system_u:system_r:systemd_oomd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s
    0-s0:c0.c1023 tclass=file permissive=1
    type=AVC msg=audit(..): avc:  denied  { open } for  pid=1368 comm="systemd-oomd" path="/proc/24509/stat" dev="proc" ino=80824 scontext=system_u:system_r:systemd_oomd_t:s0 tcontext=unconfined_u:unconfined_r:un
    confined_t:s0-s0:c0.c1023 tclass=file permissive=1
    type=AVC msg=audit(..): avc:  denied  { getattr } for  pid=1368 comm="systemd-oomd" path="/proc/24509/stat" dev="proc" ino=80824 scontext=system_u:system_r:systemd_oomd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file permissive=1
    type=AVC msg=audit(..): avc:  denied  { ioctl } for  pid=1368 comm="systemd-oomd" path="/proc/24509/stat" dev="proc" ino=80824 ioctlcmd=0x5401 scontext=system_u:system_r:systemd_oomd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file permissive=1
    
    domain_kill_all_domains(systemd_oomd_t):
    type=AVC msg=audit(..): avc:  denied  { kill } for pid=1433 comm="systemd-oomd" capability=5 scontext=system_u:system_r:systemd_oomd_t:s0 tcontext=system_u:system_r:systemd_oomd_t:s0 tclass=capability permissive=1
    type=AVC msg=audit(..): avc:  denied  { sigkill } for pid=1433 comm="systemd-oomd" scontext=system_u:system_r:systemd_oomd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=1
    
    fs_manage_cgroup_dirs(systemd_oomd_t)
    type=AVC msg=audit(..): avc:  denied  { read } for  pid=1333 comm="systemd-oomd" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:systemd_oomd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
    type=AVC msg=audit(..): avc:  denied  { read } for  pid=1333 comm="systemd-oomd" name="background.slice" dev="cgroup2" ino=4594 scontext=system_u:system_r:systemd_oomd_t:s0 tcontext=unconfined_u:object_r:cgroup_t:s0 tclass=dir permissive=1
    type=AVC msg=audit(..): avc:  denied  { write } for  pid=1333 comm="systemd-oomd" name="run-p1791-i1792.service" dev="cgroup2" ino=5024 scontext=system_u:system_r:systemd_oomd_t:s0 tcontext=unconfined_u:object_r:cgroup_t:s0 tclass=dir permissive=1
    type=AVC msg=audit(..): avc:  denied  { setattr } for  pid=1333 comm="systemd-oomd" name="run-p1791-i1792.service" dev="cgroup2" ino=5024 scontext=system_u:system_r:systemd_oomd_t:s0 tcontext=unconfined_u:object_r:cgroup_t:s0 tclass=dir permissive=1
    
    fs_list_cgroup_dirs(systemd_oomd_t):
    type=AVC msg=audit(..): avc:  denied  { read } for pid=1433 comm="systemd-oomd" name="system.slice" dev="cgroup2" ino=73 scontext=system_u:system_r:systemd_oomd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
    type=AVC msg=audit(..): avc:  denied  { read } for pid=1433 comm="systemd-oomd" name="session.slice" dev="cgroup2" ino=6774 scontext=system_u:system_r:systemd_oomd_t:s0 tcontext=unconfined_u:object_r:cgroup_t:s0 tclass=dir permissive=1
    
    fs_setattr_cgroup_dirs(systemd_oomd_t):
    type=AVC msg=audit(..): avc:  denied  { setattr } for pid=1433 comm="systemd-oomd" name="run-p6559-i6560.service" dev="cgroup2" ino=10300 scontext=system_u:system_r:systemd_oomd_t:s0 tcontext=unconfined_u:object_r:cgroup_t:s0 tclass=dir permissive=1
    
    fs_write_cgroup_dirs(systemd_oomd_t):
    type=AVC msg=audit(..): avc:  denied  { write } for pid=1433 comm="systemd-oomd" name="run-p6559-i6560.service" dev="cgroup2" ino=10300 scontext=system_u:system_r:systemd_oomd_t:s0 tcontext=unconfined_u:object_r:cgroup_t:s0 tclass=dir permissive=1
    
    dbus_read_pid_sock_files(systemd_oomd_t):
    audit(..): avc:  denied  { watch } for  pid=1480 comm="systemd-oomd" path="/run" dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_oomd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
    
    dbus_watch_pid_dir_path(systemd_oomd_t):
    type=AVC msg=audit(..): avc:  denied  { watch } for  pid=1482 comm="systemd-oomd" path="/" dev="nvme0n1p2" ino=256 scontext=system_u:system_r:systemd_oomd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
    
    Fixes: bsc#1236535
    Signed-off-by: Robert Frohl <rfrohl@suse.com>

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 4a9ff4f0b..a2568bd3c 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1921,8 +1921,17 @@ kernel_dgram_send(systemd_oomd_t)
 kernel_read_psi(systemd_oomd_t)
 kernel_stream_connect(systemd_oomd_t)
 
+domain_read_all_domains_state(systemd_oomd_t)
+domain_kill_all_domains(systemd_oomd_t)
+
+fs_list_cgroup_dirs(systemd_oomd_t)
+fs_setattr_cgroup_dirs(systemd_oomd_t)
+fs_write_cgroup_dirs(systemd_oomd_t)
+
 optional_policy(`
     dbus_acquire_svc_system_dbusd(systemd_oomd_t)
+    dbus_read_pid_sock_files(systemd_oomd_t)
+    dbus_watch_pid_dir_path(systemd_oomd_t)
 ')
 
 permissive systemd_oomd_t;