SELinux: Add rules for sock_file on user_tmp_t
The following command line did not function on an x86_64 host due to missing
SELinux rules:
virt-install -v \
--name fedora-38-aarch64 \
--ram 4096 \
--disk path=fedora-38.img,cache=none \
--nographics \
--os-variant fedora38 \
--import \
--virt-type=qemu \
--arch aarch64 \
--check all=off
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2228423
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
diff --git a/src/selinux/swtpm_svirt.te b/src/selinux/swtpm_svirt.te
index ab8e15e..6c92fb0 100644
--- a/src/selinux/swtpm_svirt.te
+++ b/src/selinux/swtpm_svirt.te
@@ -29,5 +29,6 @@
allow svirt_tcg_t virt_var_run_t:file { create getattr open read unlink write };
allow svirt_tcg_t virt_var_run_t:dir { write add_name remove_name };
allow svirt_tcg_t swtpm_exec_t:file { entrypoint map };
+allow svirt_tcg_t user_tmp_t:sock_file { create setattr };
# libvirt specific rules needed on F28
allow svirt_tcg_t virtd_t:unix_stream_socket { read write getopt getattr accept };