File 1236535-oomctl_tmpfs.diff of Package selinux-policy

commit 6208d15ed8db677e84dea628d06c656aacab282b
Author: Robert Frohl <rfrohl@suse.com>
Date:   Tue Jul 8 13:14:52 2025 +0200

    Allow 'oomctl dump' to interact with systemd-oomd
    
    type=AVC msg=audit(..): avc:  denied  { write } for  pid=3357 comm="systemd-oomd" path=/memfd:data-fd (deleted) dev="tmpfs" ino=2092 scontext=system_u:system_r:systemd_oomd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
    
    Fixes: bsc#1236535
    Signed-off-by: Robert Frohl <rfrohl@suse.com>

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index d201b4f59..2015e84df 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -300,6 +300,9 @@ systemd_domain_template(systemd_mountfsd)
 
 systemd_domain_template(systemd_oomd)
 
+type systemd_oomd_tmpfs_t;
+files_tmpfs_file(systemd_oomd_tmpfs_t)
+
 type systemd_oomd_var_run_t;
 files_pid_file(systemd_oomd_var_run_t)
 
@@ -1917,6 +1920,9 @@ kernel_dgram_send(systemd_mountfsd_t)
 dontaudit systemd_oomd_t self:capability dac_override;
 allow systemd_oomd_t systemd_oomd_var_run_t:sock_file manage_sock_file_perms;
 
+manage_files_pattern(systemd_oomd_t, systemd_oomd_tmpfs_t, systemd_oomd_tmpfs_t)
+fs_tmpfs_filetrans(systemd_oomd_t, systemd_oomd_tmpfs_t, file)
+
 kernel_dgram_send(systemd_oomd_t)
 kernel_read_psi(systemd_oomd_t)
 kernel_stream_connect(systemd_oomd_t)