Allow nut-upsmon read systemd-logind session files

The commit addresses the following AVC denial example: type=AVC msg=audit(08/25/24 15:08:31.976:201) : avc: denied { read } for pid=6543 comm=wall name=sessions dev="tmpfs" ino=1257 scontext=system_u:system_r:nut_upsmon_t:s0 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=dir permissive=1 Resolves: rhbz#2297933
fedora-selinux · Sep 4, 2024 · c4f832a · c4f832a
1 parent 1559079
commit c4f832a
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/policy/modules/contrib/nut.te b/policy/modules/contrib/nut.te
@@ -105,11 +105,8 @@ init_rw_utmp(nut_upsmon_t)
 init_telinit(nut_upsmon_t)
 fs_getattr_xattr_fs(nut_upsmon_t)
 
-
 mta_send_mail(nut_upsmon_t)
 
-systemd_start_power_services(nut_upsmon_t)
-
 optional_policy(`
 	shutdown_domtrans(nut_upsmon_t)
 ')
@@ -119,6 +116,11 @@ optional_policy(`
 	systemd_dbus_chat_logind(nut_upsmon_t)
 ')
 
+optional_policy(`
+	systemd_read_logind_sessions_files(nut_upsmon_t)
+	systemd_start_power_services(nut_upsmon_t)
+')
+
 ########################################
 #
 # Local policy for upsdrvctl