From 2512fd889c43c8da644b3c66835a8b166e3ff2bc Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 13 Nov 2023 13:45:06 +0100
Subject: [PATCH] Allow kdump work with PrivateTmp

In particular, assign kdumpctl_tmp_t
to the systemd_private_tmp_type attribute.

The commit addresses the following AVC denial:
AVC avc:  denied  { remove_name } for  pid=2386 comm="(sd-rmrf)" name="tmp" dev="vda5" ino=201741 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kdumpctl_tmp_t:s0 tclass=dir permissive=0

Resolves: rhbz#2246046
---
 policy/modules/contrib/kdump.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
index 6a912a1437..9d63c849af 100644
--- a/policy/modules/contrib/kdump.te
+++ b/policy/modules/contrib/kdump.te
@@ -199,6 +199,10 @@ optional_policy(`
         ssh_exec(kdumpctl_t)
 ')
 
+optional_policy(`
+	systemd_private_tmp(kdumpctl_tmp_t)
+')
+
 optional_policy(`
 	unconfined_domain(kdumpctl_t)
 ')