SELinux: Add rules for user_tpm_t:sockfile to allow unlink
With a memoryBacking node added to the libvirt domain XML, the unlink
permission on user_tmp_t:sockfile becomes necessary to avoid an avc
denial.
<currentMemory unit='KiB'>2097152</currentMemory>
<memoryBacking>
<hugepages>
<page size='2048' unit='KiB'/>
</hugepages>
</memoryBacking>
Also add the unlink permission to the other occurrences of sock_file.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2165142
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
diff --git a/src/selinux/swtpm_svirt.te b/src/selinux/swtpm_svirt.te
index 6c92fb0..4487ea7 100644
--- a/src/selinux/swtpm_svirt.te
+++ b/src/selinux/swtpm_svirt.te
@@ -15,7 +15,7 @@
#============= svirt_t ==============
allow svirt_t virtd_t:fifo_file { read write };
allow svirt_t virtd_t:process sigchld;
-allow svirt_t user_tmp_t:sock_file { create setattr };
+allow svirt_t user_tmp_t:sock_file { create setattr unlink };
allow svirt_t swtpm_exec_t:file { entrypoint map };
# libvirt specific rules needed on F28
allow svirt_t virtd_t:unix_stream_socket { read write getopt getattr accept };
@@ -25,10 +25,10 @@
allow svirt_t virt_var_run_t:sock_file { create setattr };
allow svirt_tcg_t virtd_t:fifo_file { write read };
-allow svirt_tcg_t virt_var_run_t:sock_file { create setattr };
+allow svirt_tcg_t virt_var_run_t:sock_file { create setattr unlink };
allow svirt_tcg_t virt_var_run_t:file { create getattr open read unlink write };
allow svirt_tcg_t virt_var_run_t:dir { write add_name remove_name };
allow svirt_tcg_t swtpm_exec_t:file { entrypoint map };
-allow svirt_tcg_t user_tmp_t:sock_file { create setattr };
+allow svirt_tcg_t user_tmp_t:sock_file { create setattr unlink };
# libvirt specific rules needed on F28
allow svirt_tcg_t virtd_t:unix_stream_socket { read write getopt getattr accept };
