Fixes #37497 - allow bootdisk to access /dev/shm

On EL8 genisoimage doesn't need access to /dev/shm as it does not use libburn. On EL9 it *does* use libburn and that needs accss to /dev/shm. Let's allow it.
theforeman · Jun 3, 2024 · 5e2a6b8 · 5e2a6b8
1 parent ed5f66a
commit 5e2a6b8
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/foreman.te b/foreman.te
@@ -518,3 +518,12 @@ allow httpd_t foreman_lib_t:lnk_file { getattr read };
 # and manage links
 allow foreman_rails_t tmp_t:file map;
 allow foreman_rails_t tmp_t:lnk_file { create unlink };
+
+######################################
+#
+# Foreman Bootdisk plugin
+#
+
+# The plugin spawns genisoimage which needs access to /dev/shm
+allow foreman_rails_t tmpfs_t:filesystem getattr;
+allow foreman_rails_t fs_t:filesystem getattr;