swtpm/selinux.patch

From 816c9ef66eaec230f9dd89e1deebfadc7359aa60 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Sat, 13 Jul 2024 13:37:29 +0400
Subject: [PATCH] selinux

---
 src/selinux/swtpm.te       | 12 +++++++++++-
 src/selinux/swtpm_svirt.te |  4 ++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/selinux/swtpm.te b/src/selinux/swtpm.te
index 2327721..c35056e 100644
--- a/src/selinux/swtpm.te
+++ b/src/selinux/swtpm.te
@@ -11,6 +11,8 @@ require {
 	type virt_var_lib_t;
 	type virtqemud_t;
 	type virtqemud_tmp_t;
+        class file map;
+        tunable virt_use_nfs;
 }
 
 attribute_role swtpm_roles;
@@ -30,10 +32,11 @@ allow swtpm_t qemu_var_run_t:dir { add_name remove_name write };
 allow swtpm_t qemu_var_run_t:sock_file { create setattr unlink };
 allow swtpm_t var_log_t:file open;
 allow swtpm_t virt_var_lib_t:dir { add_name remove_name write };
-allow swtpm_t virt_var_lib_t:file { create rename setattr unlink write };
+allow swtpm_t virt_var_lib_t:file { create rename setattr unlink write map };
 allow swtpm_t virtqemud_t:unix_stream_socket { read write getattr };
 allow swtpm_t virtqemud_tmp_t:file { open write };
 
+virt_read_log(swtpm_t)
 
 domain_use_interactive_fds(swtpm_t)
 
@@ -42,3 +45,10 @@ files_read_etc_files(swtpm_t)
 auth_use_nsswitch(swtpm_t)
 
 miscfiles_read_localization(swtpm_t)
+
+tunable_policy(`virt_use_nfs',`
+    fs_manage_nfs_dirs(swtpm_t)
+    fs_manage_nfs_files(swtpm_t)
+    fs_read_nfs_symlinks(swtpm_t)
+    fs_mmap_nfs_files(swtpm_t)
+')
diff --git a/src/selinux/swtpm_svirt.te b/src/selinux/swtpm_svirt.te
index f7b886c..424efa7 100644
--- a/src/selinux/swtpm_svirt.te
+++ b/src/selinux/swtpm_svirt.te
@@ -13,6 +13,7 @@ require {
 	type user_tmp_t;
 	type virtd_t;
 	type virtqemud_t;
+	type virt_var_run_t;
 }
 
 swtpm_domtrans(svirt_t)
@@ -27,6 +28,9 @@ allow svirt_t user_tmp_t:sock_file { create setattr unlink };
 allow svirt_t virtd_t:dir search;
 allow svirt_t virtd_t:fifo_file write;
 allow svirt_t virtqemud_t:fifo_file write;
+allow svirt_t virt_var_run_t:dir { write add_name remove_name };
+allow svirt_t virt_var_run_t:file { create write setattr unlink };
+allow svirt_t virt_var_run_t:sock_file { create write setattr unlink };
 
 # For virt-install (see https://bugzilla.redhat.com/show_bug.cgi?id=2283878 )
 allow svirt_tcg_t user_tmp_t:sock_file { create setattr unlink };
-- 
2.47.0
Add extra SELinux permissions https://issues.redhat.com/browse/RHEL-70835 https://issues.redhat.com/browse/RHEL-73809 Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> 2025-01-14 07:21:49 +00:00			`From 816c9ef66eaec230f9dd89e1deebfadc7359aa60 Mon Sep 17 00:00:00 2001`
Add extra SELinux policies Resolves: RHEL-47273 2024-07-16 09:08:46 +00:00			`From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>`
			`Date: Sat, 13 Jul 2024 13:37:29 +0400`
			`Subject: [PATCH] selinux`

			`---`
Add extra SELinux permissions https://issues.redhat.com/browse/RHEL-70835 https://issues.redhat.com/browse/RHEL-73809 Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> 2025-01-14 07:21:49 +00:00			`src/selinux/swtpm.te \| 12 +++++++++++-`
			`src/selinux/swtpm_svirt.te \| 4 ++++`
			`2 files changed, 15 insertions(+), 1 deletion(-)`
Add extra SELinux policies Resolves: RHEL-47273 2024-07-16 09:08:46 +00:00
Add extra SELinux policies. Related: RHEL-53967 Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> 2024-11-04 13:10:00 +00:00			`diff --git a/src/selinux/swtpm.te b/src/selinux/swtpm.te`
Add extra SELinux permissions https://issues.redhat.com/browse/RHEL-70835 https://issues.redhat.com/browse/RHEL-73809 Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> 2025-01-14 07:21:49 +00:00			`index 2327721..c35056e 100644`
Add extra SELinux policies. Related: RHEL-53967 Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> 2024-11-04 13:10:00 +00:00			`--- a/src/selinux/swtpm.te`
			`+++ b/src/selinux/swtpm.te`
Add extra SELinux permissions https://issues.redhat.com/browse/RHEL-70835 https://issues.redhat.com/browse/RHEL-73809 Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> 2025-01-14 07:21:49 +00:00			`@@ -11,6 +11,8 @@ require {`
			`type virt_var_lib_t;`
			`type virtqemud_t;`
			`type virtqemud_tmp_t;`
			`+ class file map;`
			`+ tunable virt_use_nfs;`
			`}`

			`attribute_role swtpm_roles;`
			`@@ -30,10 +32,11 @@ allow swtpm_t qemu_var_run_t:dir { add_name remove_name write };`
			`allow swtpm_t qemu_var_run_t:sock_file { create setattr unlink };`
			`allow swtpm_t var_log_t:file open;`
			`allow swtpm_t virt_var_lib_t:dir { add_name remove_name write };`
			`-allow swtpm_t virt_var_lib_t:file { create rename setattr unlink write };`
			`+allow swtpm_t virt_var_lib_t:file { create rename setattr unlink write map };`
Add extra SELinux policies. Related: RHEL-53967 Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> 2024-11-04 13:10:00 +00:00			`allow swtpm_t virtqemud_t:unix_stream_socket { read write getattr };`
			`allow swtpm_t virtqemud_tmp_t:file { open write };`

			`+virt_read_log(swtpm_t)`

			`domain_use_interactive_fds(swtpm_t)`

Add extra SELinux permissions https://issues.redhat.com/browse/RHEL-70835 https://issues.redhat.com/browse/RHEL-73809 Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> 2025-01-14 07:21:49 +00:00			`@@ -42,3 +45,10 @@ files_read_etc_files(swtpm_t)`
			`auth_use_nsswitch(swtpm_t)`

			`miscfiles_read_localization(swtpm_t)`
			`+`
			+tunable_policy(`virt_use_nfs',`
			`+ fs_manage_nfs_dirs(swtpm_t)`
			`+ fs_manage_nfs_files(swtpm_t)`
			`+ fs_read_nfs_symlinks(swtpm_t)`
			`+ fs_mmap_nfs_files(swtpm_t)`
			`+')`
Add extra SELinux policies Resolves: RHEL-47273 2024-07-16 09:08:46 +00:00			`diff --git a/src/selinux/swtpm_svirt.te b/src/selinux/swtpm_svirt.te`
			`index f7b886c..424efa7 100644`
			`--- a/src/selinux/swtpm_svirt.te`
			`+++ b/src/selinux/swtpm_svirt.te`
			`@@ -13,6 +13,7 @@ require {`
			`type user_tmp_t;`
			`type virtd_t;`
			`type virtqemud_t;`
			`+ type virt_var_run_t;`
			`}`

			`swtpm_domtrans(svirt_t)`
			`@@ -27,6 +28,9 @@ allow svirt_t user_tmp_t:sock_file { create setattr unlink };`
			`allow svirt_t virtd_t:dir search;`
			`allow svirt_t virtd_t:fifo_file write;`
			`allow svirt_t virtqemud_t:fifo_file write;`
			`+allow svirt_t virt_var_run_t:dir { write add_name remove_name };`
			`+allow svirt_t virt_var_run_t:file { create write setattr unlink };`
			`+allow svirt_t virt_var_run_t:sock_file { create write setattr unlink };`

			`# For virt-install (see https://bugzilla.redhat.com/show_bug.cgi?id=2283878 )`
			`allow svirt_tcg_t user_tmp_t:sock_file { create setattr unlink };`
			`--`
Add extra SELinux policies. Related: RHEL-53967 Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> 2024-11-04 13:10:00 +00:00			`2.47.0`
Add extra SELinux policies Resolves: RHEL-47273 2024-07-16 09:08:46 +00:00