Skip to content

Commit

Permalink
qm.if: allow kvm connectto unix_stream_socket
Browse files Browse the repository at this point in the history 
This rule covers the ase of a qm_container_kvm_t
container (e.g., containerized qemu) to work
with dbus display.

Also covers the usecase for vhost-user devices,
as they use unix sockets to communicate with the
VMM (that is, assuming they also use the
qm_container_kvm_t type label).

Signed-off-by: Albert Esteve <[email protected]>
  • Loading branch information
@aesteve-rh @dougsland
aesteve-rh authored and dougsland committed Sep 19, 2024
1 parent c3e66f1 commit ed4d501
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion qm.if
View file
Original file line number Diff line number Diff line change
Expand Up @@ -363,7 +363,7 @@ template(`qm_domain_template',`
manage_sock_files_pattern($1_container_kvm_t, $1_file_t, $1_file_t)

allow $1_container_kvm_t $1_container_wayland_t:unix_stream_socket rw_stream_socket_perms;
allow $1_container_kvm_t $1_t:unix_stream_socket rw_stream_socket_perms;
allow $1_container_kvm_t $1_t:unix_stream_socket { connectto rw_stream_socket_perms };
container_stream_connect($1_container_kvm_t)

allow $1_container_kvm_t $1_t:tun_socket attach_queue;
Expand Down

0 comments on commit ed4d501

Please sign in to comment.