selinux: Add rules for swtpm_localca (newly installed F40 system)

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
stefanberger · May 5, 2024 · defd1f4 · defd1f4
1 parent 8a867a1
commit defd1f4
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/src/selinux/swtpm_libvirt.te b/src/selinux/swtpm_libvirt.te
@@ -41,7 +41,11 @@ allow virtqemud_t svirt_tcg_t:unix_stream_socket { bind connectto create listen
 allow virtqemud_t svirt_tcg_devpts_t:chr_file { ioctl open read write };
 allow virtqemud_t swtpm_t:process { noatsecure rlimitinh siginh signull };
 allow virtqemud_t urandom_device_t:chr_file setattr;
-allow virtqemud_t var_lib_t:file write;
+
+# Some rules are due to swtpm-localca ( https://bugzilla.redhat.com/show_bug.cgi?id=2278905#c34 )
+allow virtqemud_t var_lib_t:dir add_name;
+allow virtqemud_t var_lib_t:file { create setattr write };
+
 allow virtqemud_t var_log_t:dir { add_name remove_name };
 allow virtqemud_t var_log_t:file { create relabelfrom relabelto setattr unlink write };
 allow virtqemud_t virt_var_lib_t:dir { relabelfrom relabelto };