From 8b3d376f342dba778e3b110a1fadd96788afd16a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Tue, 14 Jan 2025 11:21:49 +0400
Subject: [PATCH] Add extra SELinux permissions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

https://issues.redhat.com/browse/RHEL-70835
https://issues.redhat.com/browse/RHEL-73809

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
---
 selinux.patch | 37 +++++++++++++++++++++++++++++++------
 swtpm.spec    |  8 +++++++-
 2 files changed, 38 insertions(+), 7 deletions(-)

diff --git a/selinux.patch b/selinux.patch
index 616ac7f..7e69bc2 100644
--- a/selinux.patch
+++ b/selinux.patch
@@ -1,18 +1,32 @@
-From b5276c6f67c17ab5636f787c5a2177f77594fa2b Mon Sep 17 00:00:00 2001
+From 816c9ef66eaec230f9dd89e1deebfadc7359aa60 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
 Date: Sat, 13 Jul 2024 13:37:29 +0400
 Subject: [PATCH] selinux
 
 ---
- src/selinux/swtpm.te       | 1 +
- src/selinux/swtpm_svirt.te | 4 ++++
- 2 files changed, 5 insertions(+)
+ src/selinux/swtpm.te       | 12 +++++++++++-
+ src/selinux/swtpm_svirt.te |  4 ++++
+ 2 files changed, 15 insertions(+), 1 deletion(-)
 
 diff --git a/src/selinux/swtpm.te b/src/selinux/swtpm.te
-index 2327721..f1c6867 100644
+index 2327721..c35056e 100644
 --- a/src/selinux/swtpm.te
 +++ b/src/selinux/swtpm.te
-@@ -34,6 +34,7 @@ allow swtpm_t virt_var_lib_t:file { create rename setattr unlink write };
+@@ -11,6 +11,8 @@ require {
+ 	type virt_var_lib_t;
+ 	type virtqemud_t;
+ 	type virtqemud_tmp_t;
++        class file map;
++        tunable virt_use_nfs;
+ }
+ 
+ attribute_role swtpm_roles;
+@@ -30,10 +32,11 @@ allow swtpm_t qemu_var_run_t:dir { add_name remove_name write };
+ allow swtpm_t qemu_var_run_t:sock_file { create setattr unlink };
+ allow swtpm_t var_log_t:file open;
+ allow swtpm_t virt_var_lib_t:dir { add_name remove_name write };
+-allow swtpm_t virt_var_lib_t:file { create rename setattr unlink write };
++allow swtpm_t virt_var_lib_t:file { create rename setattr unlink write map };
  allow swtpm_t virtqemud_t:unix_stream_socket { read write getattr };
  allow swtpm_t virtqemud_tmp_t:file { open write };
  
@@ -20,6 +34,17 @@ index 2327721..f1c6867 100644
  
  domain_use_interactive_fds(swtpm_t)
  
+@@ -42,3 +45,10 @@ files_read_etc_files(swtpm_t)
+ auth_use_nsswitch(swtpm_t)
+ 
+ miscfiles_read_localization(swtpm_t)
++
++tunable_policy(`virt_use_nfs',`
++    fs_manage_nfs_dirs(swtpm_t)
++    fs_manage_nfs_files(swtpm_t)
++    fs_read_nfs_symlinks(swtpm_t)
++    fs_mmap_nfs_files(swtpm_t)
++')
 diff --git a/src/selinux/swtpm_svirt.te b/src/selinux/swtpm_svirt.te
 index f7b886c..424efa7 100644
 --- a/src/selinux/swtpm_svirt.te
diff --git a/swtpm.spec b/swtpm.spec
index 30f95ea..e46b88a 100644
--- a/swtpm.spec
+++ b/swtpm.spec
@@ -8,7 +8,7 @@
 Summary: TPM Emulator
 Name:           swtpm
 Version:        0.9.0
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        BSD-3-Clause
 Url:            https://github.com/stefanberger/swtpm
 Source0:        https://github.com/stefanberger/swtpm/archive/v%{version}/%{name}-%{version}.tar.gz
@@ -202,6 +202,12 @@ fi
 %{_datadir}/swtpm/swtpm-create-tpmca
 
 %changelog
+* Tue Jan 14 2025 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.0-5
+- Add extra SELinux policies.
+  https://github.com/stefanberger/swtpm/issues/970
+  Resolves: RHEL-70835
+  Resolves: RHEL-73809
+
 * Mon Nov 04 2024 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.0-4
 - Add extra SELinux policies.
   Related: RHEL-53967