Proxmox-Port/swtpm
1
0
Fork 0
mirror of https://github.com/stefanberger/swtpm.git synced 2026-01-27 03:14:36 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

SELinux: Extend SELinux policy with rules for svirt_tcg

Browse Source 
Extend the SELinux policy with rules for svirt_tcg when
QEMU is not being started with KVM by libvirt.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
This commit is contained in:
Stefan Berger 2018-09-04 12:29:13 -04:00
parent b28f585c41
commit b88244ebeb
1 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/selinux/swtpm_svirt.te
View File

@ -2,18 +2,26 @@ module swtpm_svirt 1.0;
require {
type svirt_t;
type svirt_tcg_t;
type swtpm_exec_t;
type virtd_t;
type user_tmp_t;
type virt_var_run_t;
class file { entrypoint map execute read };
class file { create entrypoint map execute open read write };
class process sigchld;
class fifo_file write;
class sock_file { create setattr };
class sock_file { create setattr remove_name };
class dir { write add_name remove_name };
}
#============= svirt_t ==============
allow svirt_t virtd_t:fifo_file write;
allow svirt_t virtd_t:process sigchld;
allow svirt_t user_tmp_t:sock_file { create setattr };
allow svirt_t swtpm_exec_t:file { entrypoint map execute read };
allow svirt_t swtpm_exec_t:file { entrypoint map execute read };
allow svirt_tcg_t virtd_t:fifo_file write;
allow svirt_tcg_t virt_var_run_t:sock_file { create setattr remove_name };
allow svirt_tcg_t virt_var_run_t:file { create open read write };
allow svirt_tcg_t virt_var_run_t:dir { write add_name remove_name };
allow svirt_tcg_t swtpm_exec_t:file { entrypoint map execute read };