diff mbox series

[v4,testsuite,08/15] test_overlayfs.te: allow test_overlay_mounter_t to read user tmp files

Message ID 20200508154138.24217-9-stephen.smalley.work@gmail.com (mailing list archive)
State Accepted
Delegated to: Ondrej Mosnáček
Headers show
Series Update to work on Debian | expand

Commit Message

Stephen Smalley May 8, 2020, 3:41 p.m. UTC 
During setup-overlay, a shell is run in test_overlay_mounter_t from
a "here document" i.e. an inline input.  This creates a temporary file
that is inherited by the shell and must be readable.  Allow it.
This is apparently being allowed somehow in the base Fedora policy
for all domains but not in Debian.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 policy/test_overlayfs.te | 1 +
 1 file changed, 1 insertion(+)
diff mbox series

Patch

diff --git a/policy/test_overlayfs.te b/policy/test_overlayfs.te
index 6f1756e..b29621e 100644
--- a/policy/test_overlayfs.te
+++ b/policy/test_overlayfs.te
@@ -52,6 +52,7 @@  corecmd_exec_bin(test_overlay_mounter_t)
 
 userdom_search_admin_dir(test_overlay_mounter_t)
 userdom_search_user_home_content(test_overlay_mounter_t)
+userdom_read_user_tmp_files(test_overlay_mounter_t)
 
 mount_exec(test_overlay_mounter_t)
 mount_rw_pid_files(test_overlay_mounter_t)