policy: fix testsuite_domain_type_minimal() to work with rpm-ostree

After a live package installation on an OSTree system using `rpm-ostree install --apply-live ...`, domains need to be able to use file descriptors from install_t, otherwise they fail to load dynamic libraries. Thus, this rule needs to be added to testsuite_domain_type_minimal() so that the testuite ca run successfully on OSTree systems. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
SELinuxProject · Feb 8, 2024 · f9f4a60 · f9f4a60
1 parent 78e144c
commit f9f4a60
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/policy/test_policy.if b/policy/test_policy.if
@@ -37,6 +37,7 @@ interface(`testsuite_domain_type',`
 interface(`testsuite_domain_type_minimal',`
 	gen_require(`
 		type setrans_var_run_t;
+		type install_t;
 	')
 
 	testsuite_domain_type_common($1)
@@ -46,6 +47,7 @@ interface(`testsuite_domain_type_minimal',`
 	allow $1 proc_t:lnk_file { read };
 	allow $1 self:dir { search };
 	allow $1 self:file { open read write };
+	allow $1 install_t:fd use; # for rpm-ostree --apply-live magic
 	dontaudit $1 security_t:filesystem getattr;
 	dontaudit $1 self:file getattr;
 	dontaudit $1 setrans_var_run_t:dir search;