filesystem, init: allow systemd to setattr on ramfs dirs

This is needed by systemd-creds on system boot. Without this access,
many services fail to start. Observed on systemd-252 on Gentoo.

type=PROCTITLE msg=audit(1670295099.238:180306): proctitle="(sd-mkdcreds)"
type=PATH msg=audit(1670295099.238:180306): item=0 name=(null) inode=16711 dev=00:2c mode=040700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ramfs_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1670295099.238:180306): cwd="/"
type=SYSCALL msg=audit(1670295099.238:180306): arch=c000003e syscall=91 success=no exit=-13 a0=3 a1=140 a2=77fb64c2bd90 a3=e9dbd3ce8cce3dba items=1 ppid=23082 pid=23083 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(sd-mkdcreds)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1670295099.238:180306): avc:  denied  { setattr } for  pid=23083 comm="(sd-mkdcreds)" name="/" dev="ramfs" ino=16711 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ramfs_t:s0 tclass=dir permissive=0

Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>

1 files changed, 19 insertions, 0 deletions

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index c1078d79..af2023e6 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -4780,6 +4780,25 @@ interface(`fs_dontaudit_search_ramfs',`
 
 ########################################
 ## <summary>
+##	Set the attributes of directories on
+##	a ramfs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_setattr_ramfs_dirs',`
+	gen_require(`
+		type ramfs_t;
+	')
+
+	allow $1 ramfs_t:dir setattr;
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete
 ##	directories on a ramfs.
 ## </summary>