selinux: Allow unconfined_service_t → osbuild_t
When osbuild is invoked via the osbuild composer worker, the latter is run in the unconfined_service_t domain, so add a rule that allows that transition.
This commit is contained in:
Christian Kellner
Tom Gundersen
parent
a419ee9038
commit
65e1b35102
1 changed files with 9 additions and 0 deletions
|
|
@ -51,6 +51,15 @@ optional_policy(`
|
|||
osbuild_run(unconfined_t, unconfined_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type unconfined_service_t;
|
||||
role system_r;
|
||||
')
|
||||
|
||||
osbuild_run(unconfined_service_t, system_r)
|
||||
')
|
||||
|
||||
# allow transitioning to install_t (for ostree)
|
||||
optional_policy(`
|
||||
anaconda_domtrans_install(osbuild_t)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue