systemd: allow getattr of namespace files for more components

Followup of #840 with a few more systemd components. Signed-off-by: Rahul Sandhu <[email protected]>
SELinuxProject · Jan 11, 2025 · c74cb85 · c74cb85
1 parent c89e874
commit c74cb85
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 0 deletions.
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
@@ -224,6 +224,7 @@ ifdef(`distro_redhat',`
 ifdef(`init_systemd',`
 	# these rules are required by systemd-boot-update
 	fs_getattr_cgroup(bootloader_t)
+	fs_getattr_nsfs_files(bootloader_t)
 	init_read_state(bootloader_t)
 	init_rw_inherited_stream_socket(bootloader_t)
 

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
@@ -531,6 +531,7 @@ ifdef(`init_systemd',`
 	domain_read_all_domains_state(syslogd_t)
 
 	fs_list_cgroup_dirs(syslogd_t)
+	fs_getattr_nsfs_files(syslogd_t)
 	fs_watch_memory_pressure(syslogd_t)
 	fs_getattr_nsfs_files(syslogd_t)
 

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
@@ -220,6 +220,7 @@ sysnet_write_config(lvm_t)
 userdom_use_inherited_user_terminals(lvm_t)
 
 ifdef(`init_systemd',`
+	fs_getattr_nsfs_files(lvm_t)
 	fs_list_pstore_dirs(lvm_t)
 	fs_manage_hugetlbfs_dirs(lvm_t)
 	fs_search_cgroup_dirs(lvm_t)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
@@ -916,6 +916,7 @@ files_read_usr_files(systemd_locale_t)
 
 fs_getattr_all_fs(systemd_locale_t)
 fs_search_cgroup_dirs(systemd_locale_t)
+fs_getattr_nsfs_files(systemd_locale_t)
 
 init_stream_connect(systemd_locale_t)
 
@@ -1557,6 +1558,7 @@ manage_sock_files_pattern(systemd_nsresourced_t, systemd_nsresourced_runtime_t,
 init_runtime_filetrans(systemd_nsresourced_t, systemd_nsresourced_runtime_t, dir)
 
 fs_getattr_cgroup(systemd_nsresourced_t)
+fs_getattr_nsfs_files(systemd_nsresourced_t)
 
 # for /proc/1/environ
 init_read_state(systemd_nsresourced_t)