Skip to content

Commit

Permalink
Update virtqemud policy
Browse files Browse the repository at this point in the history
  • Loading branch information
@zpytela
zpytela committed Dec 20, 2024
1 parent 0d528ae commit feca48a
Showing 1 changed file with 8 additions and 4 deletions.
12 changes: 8 additions & 4 deletions policy/modules/contrib/virt.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2109,20 +2109,21 @@ allow virtqemud_t self:bpf { map_create map_read map_write prog_load prog_run };
allow virtqemud_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid kill net_admin setpcap setgid setuid sys_admin sys_chroot sys_ptrace sys_rawio sys_resource };
allow virtqemud_t self:capability2 { bpf perfmon };
allow virtqemud_t self:cap_userns kill;

allow virtqemud_t self:netlink_audit_socket { nlmsg_relay read write };
allow virtqemud_t self:process { setcap setexec setrlimit setsched setsockcreate };
allow virtqemud_t self:tcp_socket create_socket_perms;
allow virtqemud_t self:tun_socket create;
allow virtqemud_t self:tun_socket { create relabelfrom relabelto };
allow virtqemud_t self:udp_socket { connect create getattr };

allow virtqemud_t qemu_var_run_t:{ dir file sock_file } relabelfrom;

allow virtqemud_t svirt_t:process { getattr setsched signal signull transition };
allow virtqemud_t svirt_t:unix_stream_socket { connectto create_stream_socket_perms };
allow virtqemud_t svirt_socket_t:unix_stream_socket connectto;
allow virtqemud_t svirt_tcg_t: process { setsched signal signull transition };
allow virtqemud_t svirt_tcg_t: process { getrlimit getsched setsched signal signull transition };
allow virtqemud_t svirt_tcg_t: unix_stream_socket { connectto create_stream_socket_perms };
allow virtqemud_t svirt_tcg_t:file read_file_perms;
allow virtqemud_t svirt_tcg_t:lnk_file read_lnk_file_perms;

allow virtqemud_t svirt_devpts_t:chr_file open;
allow virtqemud_t svirt_tmpfs_t:file { map write };
Expand Down Expand Up @@ -2178,7 +2179,6 @@ manage_files_pattern(virtqemud_t, svirt_image_t, svirt_image_t)
manage_sock_files_pattern(virtqemud_t, svirt_image_t, svirt_image_t)
read_files_pattern(virtqemud_t, svirt_t, svirt_t)
read_lnk_files_pattern(virtqemud_t, svirt_t, svirt_t)
read_files_pattern(virtqemud_t, svirt_tcg_t, svirt_tcg_t)

manage_files_pattern(virtqemud_t, virt_content_t, virt_content_t)

Expand Down Expand Up @@ -2278,6 +2278,10 @@ optional_policy(`
dnsmasq_filetrans_named_content_fromdir(virtqemud_t, virtqemud_var_run_t)
')

optional_policy(`
numad_domtrans(virtqemud_t)
')

optional_policy(`
qemu_exec(virtqemud_t)
')
Expand Down

0 comments on commit feca48a

Please sign in to comment.