From 65e1b35102ca7278b61462c3cbf8e2bad4e2b47f Mon Sep 17 00:00:00 2001
From: Christian Kellner <christian@kellner.me>
Date: Tue, 9 Jun 2020 20:08:06 +0200
Subject: [PATCH] =?UTF-8?q?selinux:=20Allow=20unconfined=5Fservice=5Ft=20?=
 =?UTF-8?q?=E2=86=92=20osbuild=5Ft?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When osbuild is invoked via the osbuild composer worker, the latter
is run in the unconfined_service_t domain, so add a rule that
allows that transition.
---
 selinux/osbuild.te | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/selinux/osbuild.te b/selinux/osbuild.te
index 0851f324..1a5f98d4 100644
--- a/selinux/osbuild.te
+++ b/selinux/osbuild.te
@@ -51,6 +51,15 @@ optional_policy(`
         osbuild_run(unconfined_t, unconfined_r)
 ')
 
+optional_policy(`
+        gen_require(`
+                type unconfined_service_t;
+                role system_r;
+        ')
+
+        osbuild_run(unconfined_service_t, system_r)
+')
+
 # allow transitioning to install_t (for ostree)
 optional_policy(`
 	anaconda_domtrans_install(osbuild_t)