From e90a74f088382fa6174016c4f4854fd4052135e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Hozza?= Date: Tue, 17 Dec 2024 11:02:14 +0100 Subject: [PATCH] SELinux: apply osbuild_exec_t to /usr/bin/osbuild-image-info MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is needed, for the tool to be able to read SELinux labels from the inspected image, which are not known to the host on which it is running. Signed-off-by: Tomáš Hozza --- selinux/osbuild.fc | 1 + selinux/osbuild_selinux.8 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/selinux/osbuild.fc b/selinux/osbuild.fc index d9cb686f..990ff50a 100644 --- a/selinux/osbuild.fc +++ b/selinux/osbuild.fc @@ -1,4 +1,5 @@ /usr/bin/osbuild -- gen_context(system_u:object_r:osbuild_exec_t,s0) +/usr/bin/osbuild-image-info -- gen_context(system_u:object_r:osbuild_exec_t,s0) /usr/lib/osbuild/assemblers/.* -- gen_context(system_u:object_r:osbuild_exec_t,s0) /usr/lib/osbuild/stages/.* -- gen_context(system_u:object_r:osbuild_exec_t,s0) /usr/lib/osbuild/sources/.* -- gen_context(system_u:object_r:osbuild_exec_t,s0) diff --git a/selinux/osbuild_selinux.8 b/selinux/osbuild_selinux.8 index 3c727a0e..22333f33 100644 --- a/selinux/osbuild_selinux.8 +++ b/selinux/osbuild_selinux.8 @@ -18,7 +18,7 @@ The osbuild_t SELinux type can be entered via the \fBosbuild_exec_t\fP file type The default entrypoint paths for the osbuild_t domain are the following: -/usr/lib/osbuild/stages/*, /usr/lib/osbuild/sources/*, /usr/lib/osbuild/assemblers/*, /usr/bin/osbuild +/usr/lib/osbuild/stages/*, /usr/lib/osbuild/sources/*, /usr/lib/osbuild/assemblers/*, /usr/bin/osbuild, /usr/bin/osbuild-image-info .SH PROCESS TYPES SELinux defines process types (domains) for each process running on the system .PP