From 7dac1dbf6f5629744e60e58e8c80e83973f790d4 Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.ibm.com>
Date: Fri, 11 Aug 2023 17:23:33 -0400
Subject: [PATCH] SELinux: Add rules for sock_file on user_tmp_t

The following command line did not function on an x86_64 host due to missing
SELinux rules:

virt-install -v \
 --name fedora-38-aarch64 \
 --ram 4096 \
 --disk path=fedora-38.img,cache=none \
 --nographics \
 --os-variant fedora38 \
 --import \
 --virt-type=qemu \
 --arch aarch64 \
 --check all=off

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2228423
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 src/selinux/swtpm_svirt.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/selinux/swtpm_svirt.te b/src/selinux/swtpm_svirt.te
index ab8e15e..6c92fb0 100644
--- a/src/selinux/swtpm_svirt.te
+++ b/src/selinux/swtpm_svirt.te
@@ -29,5 +29,6 @@ allow svirt_tcg_t virt_var_run_t:sock_file { create setattr };
 allow svirt_tcg_t virt_var_run_t:file { create getattr open read unlink write };
 allow svirt_tcg_t virt_var_run_t:dir { write add_name remove_name };
 allow svirt_tcg_t swtpm_exec_t:file { entrypoint map };
+allow svirt_tcg_t user_tmp_t:sock_file { create setattr };
 # libvirt specific rules needed on F28
 allow svirt_tcg_t virtd_t:unix_stream_socket { read write getopt getattr accept };