Make new virt drivers permissive

This is temporary change, to detect and fix SELinux denials without usability issues.
zpytela · Oct 10, 2023 · bc3f448 · bc3f448
1 parent e62efd6
commit bc3f448
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 6 deletions.
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
@@ -360,6 +360,7 @@ files_tmp_file(virtqemud_tmp_t)
 type virtqemud_var_run_t, virt_driver_var_run;
 files_pid_file(virtqemud_var_run_t)
 
+permissive virtqemud_t;
 # virtsecretd
 type virtsecretd_t, virt_driver_domain;
 type virtsecretd_exec_t, virt_driver_executable;
@@ -371,6 +372,7 @@ files_type(virtsecretd_t)
 type virtsecretd_var_run_t, virt_driver_var_run;
 files_pid_file(virtsecretd_var_run_t)
 
+permissive virtsecretd_t;
 # virtstoraged
 type virtstoraged_t, virt_driver_domain;
 type virtstoraged_exec_t, virt_driver_executable;
@@ -385,6 +387,8 @@ files_tmp_file(virtstoraged_tmp_t)
 type virtstoraged_var_run_t, virt_driver_var_run;
 files_pid_file(virtstoraged_var_run_t)
 
+permissive virtstoraged_t;
+
 # virtvboxd
 type virtvboxd_t, virt_driver_domain;
 type virtvboxd_exec_t, virt_driver_executable;
@@ -396,7 +400,9 @@ files_type(virtvboxd_t)
 type virtvboxd_var_run_t, virt_driver_var_run;
 files_pid_file(virtvboxd_var_run_t)
 
-# virtvzd
+permissive virtvboxd_t;
+
+# virtvzd - unconfined
 type virtvzd_t, virt_driver_domain;
 type virtvzd_exec_t, virt_driver_executable;
 init_daemon_domain(virtvzd_t, virtvzd_exec_t)
@@ -407,7 +413,7 @@ files_type(virtvzd_t)
 type virtvzd_var_run_t, virt_driver_var_run;
 files_pid_file(virtvzd_var_run_t)
 
-# virtxend
+# virtxend - unconfined
 type virtxend_t, virt_driver_domain;
 type virtxend_exec_t, virt_driver_executable;
 init_daemon_domain(virtxend_t, virtxend_exec_t)

diff --git a/policy/modules/contrib/virt_supplementary.te b/policy/modules/contrib/virt_supplementary.te
@@ -44,9 +44,6 @@ gen_require(`
     class passwd passwd;
 ')
 
-type qemu_exec_t;
-application_executable_file(qemu_exec_t)
-
 type virt_qmf_t;
 type virt_qmf_exec_t;
 init_daemon_domain(virt_qmf_t, virt_qmf_exec_t)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
@@ -5391,7 +5391,7 @@ interface(`dev_dontaudit_write_urand',`
 
 ########################################
 ## <summary>
-##      Delete files in the dev/urandom directory.
+##      Delete files in the dev/urandom.
 ## </summary>
 ## <param name="domain">
 ##      <summary>