From 5e2a6b8f47690ec6af56c9d8b7b0e9b7c34ded0f Mon Sep 17 00:00:00 2001
From: Evgeni Golov <evgeni@golov.de>
Date: Thu, 23 May 2024 09:32:42 +0200
Subject: [PATCH] Fixes #37497 - allow bootdisk to access /dev/shm

On EL8 genisoimage doesn't need access to /dev/shm as it does not use
libburn.
On EL9 it *does* use libburn and that needs accss to /dev/shm.

Let's allow it.
---
 foreman.te | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/foreman.te b/foreman.te
index 923818a..32f81ac 100644
--- a/foreman.te
+++ b/foreman.te
@@ -518,3 +518,12 @@ allow httpd_t foreman_lib_t:lnk_file { getattr read };
 # and manage links
 allow foreman_rails_t tmp_t:file map;
 allow foreman_rails_t tmp_t:lnk_file { create unlink };
+
+######################################
+#
+# Foreman Bootdisk plugin
+#
+
+# The plugin spawns genisoimage which needs access to /dev/shm
+allow foreman_rails_t tmpfs_t:filesystem getattr;
+allow foreman_rails_t fs_t:filesystem getattr;