From d7924a942d84c255fb9d85f262fd68a9e08c2433 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 30 Mar 2021 20:54:17 +0200
Reference: https://github.com/fedora-selinux/selinux-policy/commit/d7924a942d84c255fb9d85f262fd68a9e08c2433
Conflict: NA
Subject: [PATCH] Allow nsswitch_domain read cgroup files

This permission is required when the systemd nss module is used
in nsswitch.conf for users or groups. The module checks whether
the current process is running in the root cgroup, or if rather
cgroup namespaces are in place.

Resolves: rhbz#1895061
---
 policy/modules/system/authlogin.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 068caed..0e54d0a 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -465,6 +465,8 @@ files_list_var_lib(nsswitch_domain)
 # read /etc/nsswitch.conf
 files_read_etc_files(nsswitch_domain)
 
+fs_read_cgroup_files(nsswitch_domain)
+
 init_stream_connectto(nsswitch_domain)
 
 sysnet_dns_name_resolve(nsswitch_domain)
-- 
1.8.3.1