Allow virtstoraged get attributes of configfs dirs

The commit addresses the following AVC denial: type=AVC msg=audit(1724038118.935:800): avc: denied { getattr } for pid=16121 comm="daemon-init" path="/sys/kernel/config" dev="configfs" ino=6163 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir permissive=1 Resolves: rhbz#2305656
fedora-selinux · Sep 4, 2024 · 5d34a85 · 5d34a85
1 parent 7ece861
commit 5d34a85
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 0 deletions.
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
@@ -2339,6 +2339,7 @@ kernel_io_uring_use(virtstoraged_t)
 corecmd_exec_bin(virtstoraged_t)
 
 fs_getattr_all_fs(virtstoraged_t)
+fs_getattr_configfs_dirs(virtstoraged_t)
 
 userdom_read_user_home_content_files(virtstoraged_t)
 

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
@@ -2062,6 +2062,24 @@ interface(`fs_dontaudit_write_configfs_dirs',`
 	dontaudit $1 configfs_t:dir write;
 ')
 
+#######################################
+## <summary>
+##	Getattr dirs on a configfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_configfs_dirs',`
+	gen_require(`
+		type configfs_t;
+	')
+
+	allow $1 configfs_t:dir getattr;
+')
+
 #######################################
 ## <summary>
 ##	Read dirs