Allow snapperd execute systemctl in the caller domain

The commit addresses the following AVC denial: type=AVC msg=audit(1738151778.369:679): avc: denied { execute_no_trans } for pid=5390 comm="snapperd" path="/usr/bin/systemctl" dev="nvme0n1p7" ino=368840 scontext=system_u:system_r:snapperd_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=0 Resolves: rhbz#2342778
fedora-selinux · Jan 31, 2025 · 3dbb3d2 · 3dbb3d2
1 parent 6e44e3d
commit 3dbb3d2
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/policy/modules/contrib/snapper.te b/policy/modules/contrib/snapper.te
@@ -94,3 +94,7 @@ optional_policy(`
 optional_policy(`
     snapper_relabel_snapshots(snapperd_t)
 ')
+
+optional_policy(`
+	systemd_exec_systemctl(snapperd_t)
+')