During setup-overlay, a shell is run in test_overlay_mounter_t from a "here document" i.e. an inline input. This creates a temporary file that is inherited by the shell and must be readable. Allow it. This is apparently being allowed somehow in the base Fedora policy for all domains but not in Debian. Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> --- policy/test_overlayfs.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/test_overlayfs.te b/policy/test_overlayfs.te index 6f1756e..b29621e 100644 --- a/policy/test_overlayfs.te +++ b/policy/test_overlayfs.te @@ -52,6 +52,7 @@ corecmd_exec_bin(test_overlay_mounter_t) userdom_search_admin_dir(test_overlay_mounter_t) userdom_search_user_home_content(test_overlay_mounter_t) +userdom_read_user_tmp_files(test_overlay_mounter_t) mount_exec(test_overlay_mounter_t) mount_rw_pid_files(test_overlay_mounter_t) -- 2.23.1
