Google Git
Sign in
fuchsia/third_party/github.com/stefanberger/swtpm/cfe93d90b6a89ae37d5b945c89143973cf18cc90^!/.
commit
cfe93d90b6a89ae37d5b945c89143973cf18cc90
[log]
author
Marc-André Lureau <marcandre.lureau@redhat.com>
Mon Jan 20 13:00:14 2025 +0400
committer
Stefan Berger <stefanb@us.ibm.com>
Mon Jan 20 11:04:23 2025 -0500
tree
ce7f4ba7ff28007d7d19249731c5b0ec05818ae2
parent
01e804ff0a23f971b82bc51d02cd626eb98528b8 [diff]
SELinux: add NFS permissions for swtpm_t

swtpm fails with a NFS mount. `setsebool virt_use_nfs on` should fix it.

Resolves: https://issues.redhat.com/browse/RHEL-73809

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>

diff --git a/src/selinux/swtpm.te b/src/selinux/swtpm.te
index 668a1c2..9228648 100644
--- a/src/selinux/swtpm.te
+++ b/src/selinux/swtpm.te

@@ -13,6 +13,7 @@
 	type virtqemud_t;
 	type virtqemud_tmp_t;
 	class file map;
+	tunable virt_use_nfs;
 }
 
 attribute_role swtpm_roles;
@@ -45,3 +46,10 @@
 auth_use_nsswitch(swtpm_t)
 
 miscfiles_read_localization(swtpm_t)
+
+tunable_policy(`virt_use_nfs',`
+	fs_manage_nfs_dirs(swtpm_t)
+	fs_manage_nfs_files(swtpm_t)
+	fs_read_nfs_symlinks(swtpm_t)
+	fs_mmap_nfs_files(swtpm_t)
+')