From 63825b296c445457a6bfd5d8c720c96bd284cef9 Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.ibm.com>
Date: Fri, 11 Aug 2023 18:13:12 -0400
Subject: [PATCH] SELinux: Add rules for user_tpm_t:sockfile to allow unlink

With a memoryBacking node added to the libvirt domain XML, the unlink
permission on user_tmp_t:sockfile becomes necessary to avoid an avc
denial.

  <currentMemory unit='KiB'>2097152</currentMemory>
  <memoryBacking>
    <hugepages>
      <page size='2048' unit='KiB'/>
    </hugepages>
  </memoryBacking>

Also add the unlink permission to the other occurrences of sock_file.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2165142
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 src/selinux/swtpm_svirt.te | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/selinux/swtpm_svirt.te b/src/selinux/swtpm_svirt.te
index 6c92fb0..4487ea7 100644
--- a/src/selinux/swtpm_svirt.te
+++ b/src/selinux/swtpm_svirt.te
@@ -15,7 +15,7 @@ swtpm_domtrans(svirt_tcg_t)
 #============= svirt_t ==============
 allow svirt_t virtd_t:fifo_file { read write };
 allow svirt_t virtd_t:process sigchld;
-allow svirt_t user_tmp_t:sock_file { create setattr };
+allow svirt_t user_tmp_t:sock_file { create setattr unlink };
 allow svirt_t swtpm_exec_t:file { entrypoint map };
 # libvirt specific rules needed on F28
 allow svirt_t virtd_t:unix_stream_socket { read write getopt getattr accept };
@@ -25,10 +25,10 @@ allow svirt_t virt_var_run_t:file { create getattr open read unlink write };
 allow svirt_t virt_var_run_t:sock_file { create setattr };
 
 allow svirt_tcg_t virtd_t:fifo_file { write read };
-allow svirt_tcg_t virt_var_run_t:sock_file { create setattr };
+allow svirt_tcg_t virt_var_run_t:sock_file { create setattr unlink };
 allow svirt_tcg_t virt_var_run_t:file { create getattr open read unlink write };
 allow svirt_tcg_t virt_var_run_t:dir { write add_name remove_name };
 allow svirt_tcg_t swtpm_exec_t:file { entrypoint map };
-allow svirt_tcg_t user_tmp_t:sock_file { create setattr };
+allow svirt_tcg_t user_tmp_t:sock_file { create setattr unlink };
 # libvirt specific rules needed on F28
 allow svirt_tcg_t virtd_t:unix_stream_socket { read write getopt getattr accept };