Add extra SELinux policies

Resolves: RHEL-47273
2024-07-16 13:08:46 +04:00 · 2024-07-16 13:08:46 +04:00 · 663d46e294
commit 663d46e294
parent 15b0b8d16e
2 changed files with 40 additions and 1 deletions
--- a/selinux.patch
+++ b/selinux.patch
@ -0,0 +1,34 @@
+From 1eab90cc323509eda1b43ef81fccb4bcf28056f0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Sat, 13 Jul 2024 13:37:29 +0400
+Subject: [PATCH] selinux
+
+---
+ src/selinux/swtpm_svirt.te | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/selinux/swtpm_svirt.te b/src/selinux/swtpm_svirt.te
+index f7b886c..424efa7 100644
+--- a/src/selinux/swtpm_svirt.te
+++ b/src/selinux/swtpm_svirt.te
+@@ -13,6 +13,7 @@ require {
+ 	type user_tmp_t;
+ 	type virtd_t;
+ 	type virtqemud_t;
+	type virt_var_run_t;
+ }
+ 
+ swtpm_domtrans(svirt_t)
+@@ -27,6 +28,9 @@ allow svirt_t user_tmp_t:sock_file { create setattr unlink };
+ allow svirt_t virtd_t:dir search;
+ allow svirt_t virtd_t:fifo_file write;
+ allow svirt_t virtqemud_t:fifo_file write;
+allow svirt_t virt_var_run_t:dir { write add_name remove_name };
+allow svirt_t virt_var_run_t:file { create write setattr unlink };
+allow svirt_t virt_var_run_t:sock_file { create write setattr unlink };
+ 
+ # For virt-install (see https://bugzilla.redhat.com/show_bug.cgi?id=2283878 )
+ allow svirt_tcg_t user_tmp_t:sock_file { create setattr unlink };
+-- 
+2.41.0.28.gd7d8841f67
+
--- a/swtpm.spec
+++ b/swtpm.spec
@ -8,7 +8,7 @@
 Summary: TPM Emulator
 Name:           swtpm
 Version:        0.9.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        BSD-3-Clause
 Url:            https://github.com/stefanberger/swtpm
 Source0:        https://github.com/stefanberger/swtpm/archive/v%{version}/%{name}-%{version}.tar.gz
@ -17,6 +17,7 @@ Source1:        openssl-swtpm.cnf
 # swtpm algorithm list is unconditional. Since it advertizes
 # SHA-1, we MUST always provide a working SHA-1 impl
 Patch0002:      swtpm-custom-openssl.patch
+Patch0003:      selinux.patch

 BuildRequires: make
 BuildRequires:  git-core
@ -200,6 +201,10 @@ fi
 %{_datadir}/swtpm/swtpm-create-tpmca

 %changelog
+* Wed Jul 17 2024 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.0-2
+- Add extra SELinux policies.
+  Resolves: RHEL-47273
+
 * Tue Jul 09 2024 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.0-1
 - Update to v0.9.0 release
  Resolves: RHEL-42590