File 1236535-inital_changes.diff of Package selinux-policy
commit e1303805aff00ab56a3c55bbb70d8bfd0dd21a10
Author: Robert Frohl <rfrohl@suse.com>
Date: Thu May 8 13:52:31 2025 +0200
Basic enablement for systemd-oomd (bsc#1236535)
dontaudit dac_override:
type=AVC msg=audit(..): avc: denied { dac_override } for pid=2643 comm="systemd-oomd" capability=1 scontext=system_u:system_r:systemd_oomd_t:s0 tcontext=system_u:system_r:systemd_oomd_t:s0 tclass=capability permissive=1
allow systemd_oomd_t systemd_oomd_var_run_t:sock_file manage_sock_file_perms:
type=AVC msg=audit(..): avc: denied { write } for pid=4361 comm="systemd-oomd" name="io.systemd.ManagedOOM" dev="tmpfs" ino=42 scontext=system_u:system_r:systemd_oomd_t:s0 tcontext=system_u:object_r:systemd_oomd_var_run_t:s0 tclass=sock_file permissive=1
manage_sock_file_perms;
kernel_dgram_send(systemd_oomd_t):
type=AVC msg=audit(..): avc: denied { sendto } for pid=2643 comm="systemd-oomd" path="/systemd/journal/socket" scontext=system_u:system_r:systemd_oomd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
kernel_read_psi(systemd_oomd_t):
type=AVC msg=audit(..): avc: denied { search } for pid=2643 comm="systemd-oomd" name="pressure" dev="proc" ino=4026532057 scontext=system_u:system_r:systemd_oomd_t:s0 tcontext=system_u:object_r:proc_psi_t:s0 tclass=dir permissive=1
type=AVC msg=audit(..): avc: denied { read } for pid=2643 comm="systemd-oomd" name="cpu" dev="proc" ino=4026532060 scontext=system_u:system_r:systemd_oomd_t:s0 tcontext=system_u:object_r:proc_psi_t:s0 tclass=file permissive=1
type=AVC msg=audit(..): avc: denied { open } for pid=2643 comm="systemd-oomd" path="/proc/pressure/cpu" dev="proc" ino=4026532060 scontext=system_u:system_r:systemd_oomd_t:s0 tcontext=system_u:object_r:proc_psi_t:s0 tclass=file permissive=1
type=AVC msg=audit(..): avc: denied { getattr } for pid=2643 comm="systemd-oomd" path="/proc/pressure/cpu" dev="proc" ino=4026532060 scontext=system_u:system_r:systemd_oomd_t:s0 tcontext=system_u:object_r:proc_psi_t:s0 tclass=file permissive=1
kernel_stream_connect(systemd_oomd_t):
type=AVC msg=audit(..): avc: denied { connectto } for pid=2643 comm="systemd-oomd" path="/systemd/io.systemd.ManagedOOM" scontext=system_u:system_r:systemd_oomd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=1
dbus_acquire_svc_system_dbusd(systemd_oomd_t):
type=USER_AVC msg=audit(..): pid=885 uid=496 auid=4294967295 ses=4294967295 subj=stystem_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { acquire_svc } for scontext=system_u:system_r:systemd_oomd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1 exe="/usr/bin/dbus-broker" sauid=496 hostname=? addr=? terminal=?'
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 1370b0765..6f1ca8347 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -59,6 +59,7 @@ HOME_DIR/\.config/systemd/user(/.*)? gen_context(system_u:object_r:systemd_unit
/usr/lib/systemd/systemd-mountwork -- gen_context(system_u:object_r:systemd_mountfsd_exec_t,s0)
/usr/lib/systemd/systemd-nsresourced -- gen_context(system_u:object_r:systemd_nsresourced_exec_t,s0)
/usr/lib/systemd/systemd-nsresourcework -- gen_context(system_u:object_r:systemd_nsresourced_exec_t,s0)
+/usr/lib/systemd/systemd-oomd -- gen_context(system_u:object_r:systemd_oomd_exec_t,s0)
/usr/lib/systemd/systemd-pcrextend -- gen_context(system_u:object_r:systemd_pcrextend_exec_t,s0)
/usr/lib/systemd/systemd-pcrlock -- gen_context(system_u:object_r:systemd_pcrlock_exec_t,s0)
/usr/lib/systemd/systemd-pstore -- gen_context(system_u:object_r:systemd_pstore_exec_t,s0)
@@ -138,6 +139,7 @@ HOME_DIR/\.config/systemd/user(/.*)? gen_context(system_u:object_r:systemd_unit
/run/systemd/generator/.+ <<none>>
/run/systemd/io\.systemd\.Login -s gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/run/systemd/io\.systemd\.ManagedOOM -s gen_context(system_u:object_r:systemd_oomd_var_run_t,s0)
/run/systemd/io\.systemd\.NamespaceResource -s gen_context(system_u:object_r:systemd_nsresourced_runtime_t,s0)
/run/systemd/nsresource(/.*)? gen_context(system_u:object_r:systemd_nsresourced_runtime_t,s0)
/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
@@ -152,6 +154,7 @@ HOME_DIR/\.config/systemd/user(/.*)? gen_context(system_u:object_r:systemd_unit
/run/systemd/machine(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
/run/systemd/machines.lock -- gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
+/run/systemd/oom(/.*)? gen_context(system_u:object_r:systemd_oomd_var_run_t,s0)
/run/systemd/pcrlock.json -- gen_context(system_u:object_r:systemd_pcrlock_var_lib_t,s0)
/run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_var_run_t,s0)
/run/systemd/netif(/.*)? gen_context(system_u:object_r:systemd_networkd_var_run_t,s0)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 359f4158d..aee267cd7 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -304,6 +304,11 @@ files_pid_file(systemd_nsresourced_runtime_t)
systemd_domain_template(systemd_mountfsd)
+systemd_domain_template(systemd_oomd)
+
+type systemd_oomd_var_run_t;
+files_pid_file(systemd_oomd_var_run_t)
+
systemd_domain_template(systemd_pcrextend)
systemd_domain_template(systemd_pcrlock)
@@ -1997,6 +2002,24 @@ permissive systemd_mountfsd_t;
kernel_dgram_send(systemd_mountfsd_t)
+########################################
+#
+# systemd_oomd local policy
+#
+
+dontaudit systemd_oomd_t self:capability dac_override;
+allow systemd_oomd_t systemd_oomd_var_run_t:sock_file manage_sock_file_perms;
+
+kernel_dgram_send(systemd_oomd_t)
+kernel_read_psi(systemd_oomd_t)
+kernel_stream_connect(systemd_oomd_t)
+
+optional_policy(`
+ dbus_acquire_svc_system_dbusd(systemd_oomd_t)
+')
+
+permissive systemd_oomd_t;
+
########################################
#
# systemd_nsresourced local policy
