From a1999939eb9bef95ca5371121e5bab3e98e8862e Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Wed, 29 Mar 2023 11:03:32 -0500
Subject: [PATCH] SELinux: Allow init-storage to set permissions

Files and directories that have restrictive permissions and/or are now
owned by *root:root* require `cp` to have additional process
capabilities in order to copy them to the writable filesystem.
---
 repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te b/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
index 822ecb8..23f47a5 100644
--- a/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
+++ b/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
@@ -36,7 +36,7 @@ files_tmp_file(aimee_set_root_password_tmp_t)
 #
 
 allow aimee_storinit_t self:fifo_file rw_fifo_file_perms;
-allow aimee_storinit_t self:capability { chown fsetid sys_admin };
+allow aimee_storinit_t self:capability { dac_read_search dac_override chown fowner fsetid sys_admin };
 allow aimee_storinit_t self:process { setfscreate };
 
 manage_dirs_pattern(aimee_storinit_t, aimee_storinit_runtime_t, aimee_storinit_runtime_t)