Allow virtqemud relabelfrom also for file and sock_file

So far, virtqemud was allowed relabelfrom qemu_var_run_t for the dir class only. This commit allows it also for the file and sock_file classes.
fedora-selinux · Aug 13, 2024 · 137c143 · 137c143
1 parent a2911ac
commit 137c143
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
@@ -2108,7 +2108,7 @@ allow virtqemud_t self:tcp_socket create_socket_perms;
 allow virtqemud_t self:tun_socket create;
 allow virtqemud_t self:udp_socket { connect create getattr };
 
-allow virtqemud_t qemu_var_run_t:dir relabelfrom;
+allow virtqemud_t qemu_var_run_t:{ dir file sock_file } relabelfrom;
 
 allow virtqemud_t svirt_t:process { getattr setsched signal signull transition };
 allow virtqemud_t svirt_t:unix_stream_socket { connectto create_stream_socket_perms };