From 2765e7fc1b56b8b280918dfa3625b7c792b63b41 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Sat, 16 Nov 2024 15:05:13 +0100
Subject: [PATCH] systemd: permit sysusers to create /etc/group
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

    audit[14480]: AVC avc:  denied  { create } for  pid=14480 comm="systemd-sysuser" name=".#group5f44baae46cc7c1d" scontext=unconfined_u:unconfined_r:systemd_sysusers_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 policy/modules/system/systemd.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 1f7049b1d8..cf7fc96430 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -302,6 +302,8 @@ init_daemon_domain(systemd_sysctl_t, systemd_sysctl_exec_t)
 type systemd_sysusers_t;
 type systemd_sysusers_exec_t;
 init_system_domain(systemd_sysusers_t, systemd_sysusers_exec_t)
+# create /etc/group
+domain_obj_id_change_exemption(systemd_sysusers_t)
 role systemd_sysusers_roles types systemd_sysusers_t;
 
 type systemd_tmpfiles_t;