commit 7dac1dbf6f5629744e60e58e8c80e83973f790d4
author Stefan Berger <stefanb@linux.ibm.com> Fri Aug 11 17:23:33 2023 -0400
committer Stefan Berger <stefanb@us.ibm.com> Tue Aug 15 10:30:08 2023 -0400
tree e4fa9d4b20e470ec89476316e98df3839d6900bf
parent f732f489c2769f3149b297d1601e7fe302da74fa

SELinux: Add rules for sock_file on user_tmp_t

The following command line did not function on an x86_64 host due to missing
SELinux rules:

virt-install -v \
 --name fedora-38-aarch64 \
 --ram 4096 \
 --disk path=fedora-38.img,cache=none \
 --nographics \
 --os-variant fedora38 \
 --import \
 --virt-type=qemu \
 --arch aarch64 \
 --check all=off

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2228423
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>

src/selinux/swtpm_svirt.te

diff --git a/src/selinux/swtpm_svirt.te b/src/selinux/swtpm_svirt.te
index ab8e15e..6c92fb0 100644
--- a/src/selinux/swtpm_svirt.te
+++ b/src/selinux/swtpm_svirt.te
@@ -29,5 +29,6 @@
 allow svirt_tcg_t virt_var_run_t:file { create getattr open read unlink write };
 allow svirt_tcg_t virt_var_run_t:dir { write add_name remove_name };
 allow svirt_tcg_t swtpm_exec_t:file { entrypoint map };
+allow svirt_tcg_t user_tmp_t:sock_file { create setattr };
 # libvirt specific rules needed on F28
 allow svirt_tcg_t virtd_t:unix_stream_socket { read write getopt getattr accept };