selinux-policy/backport-Allow-systemd-permissions-needed-for-sandboxed-services.patch

From c19e4cb9a3f23f2b14c31c978627f9c486a369f4 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 31 Aug 2022 18:20:03 +0200
Subject: [PATCH] Allow systemd permissions needed for sandboxed services

The permissions to mounton self and get mail spool files attributes
were added for init_t. Example service requiring them is accounts-daemon
from the accountsservice package which since v22 has more tightened
sandboxing, including mounting into private namespaces and listing
accessible paths.

Resolves: rhbz#2122059
---
 policy/modules/system/init.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 06be25304a..4311dbc359 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -187,6 +187,7 @@ allow init_t self:bpf { map_create map_read map_write prog_load prog_run };
 # setuid (from /sbin/shutdown)
 # sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot()
 
+allow init_t self:file mounton;
 allow init_t self:fifo_file rw_fifo_file_perms;
 
 allow init_t self:service manage_service_perms;
@@ -544,6 +545,7 @@ optional_policy(`
 optional_policy(`
 	postfix_exec(init_t)
 	postfix_list_spool(init_t)
+	mta_getattr_spool(init_t)
 	mta_read_config(init_t)
 	mta_manage_aliases(init_t)
 ')