From ec5e8a2f6e50dee01c4df0c24363245dc7150e01 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Thu, 12 Dec 2024 16:06:05 +0100 Subject: [PATCH] Allow virtqemud additional permissions for tmpfs_t blk devices The following permissions were added: create, relabelfrom, setattr. Resolves: RHEL-61235 --- policy/modules/contrib/virt.te | 3 +++ policy/modules/kernel/filesystem.if | 36 +++++++++++++++++++++++++++++ 2 files changed, 39 insertions(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 461553b780..445130a8f9 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -2241,6 +2241,9 @@ fs_manage_tmpfs_dirs(virtqemud_t) fs_manage_tmpfs_symlinks(virtqemud_t) fs_mount_tmpfs(virtqemud_t) fs_read_nsfs_files(virtqemud_t) +fs_create_tmpfs_chr_blk_files(virtqemud_t) +fs_setattr_tmpfs_chr_blk_files(virtqemud_t) +fs_relabel_tmpfs_blk_file(virtqemud_t) fs_relabel_tmpfs_chr_file(virtqemud_t) fs_unmount_xattr_fs(virtqemud_t) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 5a874c341f..c4e303f6ec 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -6141,6 +6141,42 @@ interface(`fs_rw_tmpfs_chr_files',` rw_chr_files_pattern($1, tmpfs_t, tmpfs_t) ') +######################################## +## +## Create character nodes on tmpfs filesystems. +## +## +## +## Domain to not audit. +## +## +# +interface(`fs_create_tmpfs_chr_blk_files',` + gen_require(` + type tmpfs_t; + ') + + allow $1 tmpfs_t:chr_file create_blk_file_perms; +') + +######################################## +## +## Set attributes of character nodes on tmpfs filesystems. +## +## +## +## Domain to not audit. +## +## +# +interface(`fs_setattr_tmpfs_chr_blk_files',` + gen_require(` + type tmpfs_t; + ') + + allow $1 tmpfs_t:chr_file setattr; +') + ######################################## ## ## Do not audit attempts to read and write character nodes on tmpfs filesystems.