After a live package installation on an OSTree system using `rpm-ostree
install --apply-live ...`, domains need to be able to use file
descriptors from install_t, otherwise they fail to load dynamic
libraries. Thus, this rule needs to be added to
testsuite_domain_type_minimal() so that the testuite ca run successfully
on OSTree systems.
Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
---
policy/test_policy.if | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/test_policy.if b/policy/test_policy.if
index b20baad..e590f0b 100644
--- a/policy/test_policy.if
+++ b/policy/test_policy.if
@@ -37,6 +37,7 @@ interface(`testsuite_domain_type',`
interface(`testsuite_domain_type_minimal',`
gen_require(`
type setrans_var_run_t;
+ type install_t;
')
testsuite_domain_type_common($1)
@@ -46,6 +47,7 @@ interface(`testsuite_domain_type_minimal',`
allow $1 proc_t:lnk_file { read };
allow $1 self:dir { search };
allow $1 self:file { open read write };
+ allow $1 install_t:fd use; # for rpm-ostree --apply-live magic
dontaudit $1 security_t:filesystem getattr;
dontaudit $1 self:file getattr;
dontaudit $1 setrans_var_run_t:dir search;
--
2.43.0
