From a078c4af8cb5e5bf8b1a3d5b62e8c04e916e8bbe Mon Sep 17 00:00:00 2001
From: Pavel Raiskup <praiskup@redhat.com>
Date: Sep 12 2018 06:24:34 +0000
Subject: [selinux] allow frontend's apache to ioctl uploaded tarballs


Resolves those warnings:
type=AVC msg=audit(1536733036.786:132): avc:  denied  { ioctl }
for  pid=991 comm="httpd"
path="/var/lib/copr/data/srpm_storage/tmpricdq2lf/dummy-pkg-20180912_0817-0.src.rpm"
dev="vda1" ino=266497 ioctlcmd=0x5401
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:copr_data_t:s0 tclass=file
permissive=0

---

diff --git a/selinux/copr.te b/selinux/copr.te
index 7cbdc5b..6a88d28 100644
--- a/selinux/copr.te
+++ b/selinux/copr.te
@@ -26,7 +26,7 @@ logging_log_file(copr_httpd_log_t);
 
 #============= httpd_t ==============
 allow httpd_t copr_data_t:dir { write getattr read remove_name open add_name create rmdir search};
-allow httpd_t copr_data_t:file { rename write getattr read create open lock unlink};
+allow httpd_t copr_data_t:file { rename write getattr read create open lock unlink ioctl };
 
 optional_policy(`
 gen_require(` class file map; ')