From d46e065bcd2915960c24342f92fe5a16b1230975 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Thu, 12 Dec 2024 16:06:05 +0100 Subject: [PATCH] Allow virtqemud additional permissions for tmpfs_t blk devices The following permissions were added: create, relabelfrom, setattr. Resolves: RHEL-61235 --- policy/modules/contrib/virt.te | 3 +++ policy/modules/kernel/filesystem.if | 36 +++++++++++++++++++++++++++++ 2 files changed, 39 insertions(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 9d643a98a5..29facbf0d7 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -2231,6 +2231,9 @@ fs_manage_tmpfs_dirs(virtqemud_t) fs_manage_tmpfs_symlinks(virtqemud_t) fs_mount_tmpfs(virtqemud_t) fs_read_nsfs_files(virtqemud_t) +fs_create_tmpfs_chr_blk_files(virtqemud_t) +fs_setattr_tmpfs_chr_blk_files(virtqemud_t) +fs_relabel_tmpfs_blk_file(virtqemud_t) fs_relabel_tmpfs_chr_file(virtqemud_t) seutil_read_default_contexts(virtqemud_t) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 43aac260c3..21eb16d95d 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -6015,6 +6015,42 @@ interface(`fs_rw_tmpfs_chr_files',` rw_chr_files_pattern($1, tmpfs_t, tmpfs_t) ') +######################################## +## +## Create character nodes on tmpfs filesystems. +## +## +## +## Domain to not audit. +## +## +# +interface(`fs_create_tmpfs_chr_blk_files',` + gen_require(` + type tmpfs_t; + ') + + allow $1 tmpfs_t:chr_file create_blk_file_perms; +') + +######################################## +## +## Set attributes of character nodes on tmpfs filesystems. +## +## +## +## Domain to not audit. +## +## +# +interface(`fs_setattr_tmpfs_chr_blk_files',` + gen_require(` + type tmpfs_t; + ') + + allow $1 tmpfs_t:chr_file setattr; +') + ######################################## ## ## Do not audit attempts to read and write character nodes on tmpfs filesystems.