From 9f70372889144ed5cd799450b9ec3933fb0cfe2f Mon Sep 17 00:00:00 2001
From: Packit Service <user-cont-team+packit-service@redhat.com>
Date: Dec 10 2020 00:20:23 +0000
Subject: Apply patch selinux-allow-nnp-and-nosuid-transitions.patch


patch_name: selinux-allow-nnp-and-nosuid-transitions.patch
present_in_specfile: true

---

diff --git a/selinux/osbuild.if b/selinux/osbuild.if
index 815c691..48d099f 100644
--- a/selinux/osbuild.if
+++ b/selinux/osbuild.if
@@ -93,3 +93,22 @@ interface(`osbuild_role',`
 	ps_process_pattern($2, osbuild_t)
 	allow $2 osbuild_t:process { signull signal sigkill };
 ')
+
+########################################
+## <summary>
+##	osbuild nnp / nosuid transitions to domain
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain to be allowed to transition into.
+## </summary>
+## </param>
+#
+interface(`osbuild_nnp_nosuid_trans',`
+	gen_require(`
+		type osbuild_t;
+		class process2 { nnp_transition nosuid_transition };
+	')
+
+	allow osbuild_t $1:process2 {nnp_transition nosuid_transition};
+')
diff --git a/selinux/osbuild.te b/selinux/osbuild.te
index 1a5f98d..e4a0c7d 100644
--- a/selinux/osbuild.te
+++ b/selinux/osbuild.te
@@ -31,6 +31,7 @@ unconfined_domain(osbuild_t)
 # execute setfiles in the setfiles_mac domain
 # when in the osbuild_t domain
 seutil_domtrans_setfiles_mac(osbuild_t)
+osbuild_nnp_nosuid_trans(setfiles_mac_t)
 
 # Allow sysadm and unconfined to run osbuild
 optional_policy(`
@@ -63,4 +64,5 @@ optional_policy(`
 # allow transitioning to install_t (for ostree)
 optional_policy(`
 	anaconda_domtrans_install(osbuild_t)
+	osbuild_nnp_nosuid_trans(install_t)
 ')