From 26eb377014bfd1f85591aca20f25ee0b546c245f Mon Sep 17 00:00:00 2001
From: Christian Schneider <christian.schneider3@gmx.net>
Date: Fri, 23 Jun 2023 22:56:08 +0200
Subject: [PATCH] systemd-generator: systemd_generator_t load kernel modules
 used for e.g. zram-generator

Fixes:
avc:  denied  { getsched } for  pid=171 comm="zram-generator" scontext=system_u:system_r:systemd_generator_t tcontext=system_u:system_r:systemd_generator_t tclass=process permissive=1
avc:  denied  { execute } for  pid=173 comm="zram-generator" name="kmod" dev="sda2" ino=17417 scontext=system_u:system_r:systemd_generator_t tcontext=system_u:object_r:kmod_exec_t tclass=file permissive=1

Signed-off-by: Christian Schneider <christian.schneider3@gmx.net>
---
 policy/modules/system/systemd.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index de5be835bd..a7ed453e86 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -524,6 +524,8 @@ kernel_dontaudit_getattr_proc(systemd_generator_t)
 # Where an unlabeled mountpoint is encounted:
 kernel_dontaudit_search_unlabeled(systemd_generator_t)
 
+modutils_domtrans(systemd_generator_t)
+
 # write for systemd-zram-generator
 storage_raw_rw_fixed_disk(systemd_generator_t)
 storage_raw_read_removable_device(systemd_generator_t)