Skip to content

Commit

Permalink
Allow virtqemud relabel user tmp files and socket files
Browse files Browse the repository at this point in the history 
Resolves: RHEL-49763
  • Loading branch information
@zpytela
zpytela committed Aug 26, 2024
1 parent eb38a88 commit f843a1e
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 0 deletions.
2 changes: 2 additions & 0 deletions policy/modules/contrib/virt.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2285,6 +2285,8 @@ optional_policy(`
userdom_read_all_users_state(virtqemud_t)
userdom_read_user_home_content_files(virtqemud_t)
userdom_relabel_user_home_files(virtqemud_t)
userdom_relabel_user_tmp_files(virtqemud_t)
userdom_relabelfrom_user_tmp_sock_files(virtqemud_t)
')

#######################################
Expand Down
19 changes: 19 additions & 0 deletions policy/modules/system/userdomain.if
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3522,6 +3522,7 @@ interface(`userdom_rw_user_tmp_files',`
rw_files_pattern($1, user_tmp_t, user_tmp_t)
files_search_tmp($1)
')

########################################
## <summary>
## Read and write user temporary files.
Expand All @@ -3542,6 +3543,24 @@ interface(`userdom_rw_user_tmp_sock_files',`
files_search_tmp($1)
')

########################################
## <summary>
## Relabelfrom user temporary socket files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_relabelfrom_user_tmp_sock_files',`
gen_require(`
type user_tmp_t;
')

allow $1 user_tmp_t:sock_file relabelfrom_file_perms;
')

########################################
## <summary>
## Do not audit attempts to manage users
Expand Down

0 comments on commit f843a1e

Please sign in to comment.