From 5fef6f1665c0efe69aa77b1f3075b70790683730 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 26 Mar 2023 12:16:40 -0500
Subject: [PATCH] Allow systemd-tmpfiles to manage all files

The `systemd_tmpfiles_manage_all` SELinux boolean allows
systemd-tmpfiles to manage any file, not just the (very small) subset
allowed by the default SELinux policy.  Since we're using
systemd-tmpfiles to create directories and subvolumes for our
applications, we need this setting enabled.
---
 build-rootfs.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/build-rootfs.sh b/build-rootfs.sh
index d21924b..655926c 100755
--- a/build-rootfs.sh
+++ b/build-rootfs.sh
@@ -97,6 +97,7 @@ fi
 unshare -m sh -e <<EOF
 mount -o bind /mnt/gentoo/var/lib/selinux /var/lib/selinux
 mount -o bind /mnt/gentoo/etc/selinux /etc/selinux
+semanage boolean -N -m --on systemd_tmpfiles_manage_all
 semanage boolean -N -m --on ssh_sysadm_login
 semanage login -N -m -s root root
 semanage user -N -m -R sysadm_r root