On Thu, Feb 8, 2024 at 5:11 PM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
>
> After a live package installation on an OSTree system using `rpm-ostree
> install --apply-live ...`, domains need to be able to use file
> descriptors from install_t, otherwise they fail to load dynamic
> libraries. Thus, this rule needs to be added to
> testsuite_domain_type_minimal() so that the testuite ca run successfully
> on OSTree systems.
>
> Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
> ---
> policy/test_policy.if | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/test_policy.if b/policy/test_policy.if
> index b20baad..e590f0b 100644
> --- a/policy/test_policy.if
> +++ b/policy/test_policy.if
> @@ -37,6 +37,7 @@ interface(`testsuite_domain_type',`
> interface(`testsuite_domain_type_minimal',`
> gen_require(`
> type setrans_var_run_t;
> + type install_t;
> ')
>
> testsuite_domain_type_common($1)
> @@ -46,6 +47,7 @@ interface(`testsuite_domain_type_minimal',`
> allow $1 proc_t:lnk_file { read };
> allow $1 self:dir { search };
> allow $1 self:file { open read write };
> + allow $1 install_t:fd use; # for rpm-ostree --apply-live magic
> dontaudit $1 security_t:filesystem getattr;
> dontaudit $1 self:file getattr;
> dontaudit $1 setrans_var_run_t:dir search;
> --
> 2.43.0
Applied:
https://github.com/SELinuxProject/selinux-testsuite/commit/f9f4a604b50eecdc9ff674f1762208f23c15013f
--
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
