Allow virtqemud additional permissions for tmpfs_t blk devices

The following permissions were added: create, relabelfrom, setattr. Resolves: RHEL-61235
zpytela · Dec 12, 2024 · d46e065 · d46e065
1 parent 248f810
commit d46e065
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 0 deletions.
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
@@ -2231,6 +2231,9 @@ fs_manage_tmpfs_dirs(virtqemud_t)
 fs_manage_tmpfs_symlinks(virtqemud_t)
 fs_mount_tmpfs(virtqemud_t)
 fs_read_nsfs_files(virtqemud_t)
+fs_create_tmpfs_chr_blk_files(virtqemud_t)
+fs_setattr_tmpfs_chr_blk_files(virtqemud_t)
+fs_relabel_tmpfs_blk_file(virtqemud_t)
 fs_relabel_tmpfs_chr_file(virtqemud_t)
 
 seutil_read_default_contexts(virtqemud_t)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
@@ -6015,6 +6015,42 @@ interface(`fs_rw_tmpfs_chr_files',`
 	rw_chr_files_pattern($1, tmpfs_t, tmpfs_t)
 ')
 
+########################################
+## <summary>
+##	Create character nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_create_tmpfs_chr_blk_files',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	allow $1 tmpfs_t:chr_file create_blk_file_perms;
+')
+
+########################################
+## <summary>
+##	Set attributes of character nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_setattr_tmpfs_chr_blk_files',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	allow $1 tmpfs_t:chr_file setattr;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read and write character nodes on tmpfs filesystems.