| policy_module(swtpm_svirt,1.0) |
| |
| require { |
| type svirt_t; |
| type svirt_tcg_t; |
| type swtpm_exec_t; |
| type virtd_t; |
| type user_tmp_t; |
| type virt_var_run_t; |
| } |
| |
| swtpm_domtrans(svirt_t) |
| swtpm_domtrans(svirt_tcg_t) |
| |
| #============= svirt_t ============== |
| allow svirt_t virtd_t:fifo_file { read write }; |
| allow svirt_t virtd_t:process sigchld; |
| allow svirt_t user_tmp_t:sock_file { create setattr unlink }; |
| allow svirt_t swtpm_exec_t:file { entrypoint map }; |
| # libvirt specific rules needed on F28 |
| allow svirt_t virtd_t:unix_stream_socket { read write getopt getattr accept }; |
| # virt_var_run_t rules needed on F30 |
| allow svirt_t virt_var_run_t:dir { add_name remove_name write }; |
| allow svirt_t virt_var_run_t:file { create getattr open read unlink write }; |
| allow svirt_t virt_var_run_t:sock_file { create setattr }; |
| |
| allow svirt_tcg_t virtd_t:fifo_file { write read }; |
| allow svirt_tcg_t virt_var_run_t:sock_file { create setattr unlink }; |
| allow svirt_tcg_t virt_var_run_t:file { create getattr open read unlink write }; |
| allow svirt_tcg_t virt_var_run_t:dir { write add_name remove_name }; |
| allow svirt_tcg_t swtpm_exec_t:file { entrypoint map }; |
| allow svirt_tcg_t user_tmp_t:sock_file { create setattr unlink }; |
| # libvirt specific rules needed on F28 |
| allow svirt_tcg_t virtd_t:unix_stream_socket { read write getopt getattr accept }; |
