Allow virtqemud rw and setattr access to sev devices

The commit addresses the following AVC denial: type=AVC msg=audit(1732696476.040:1215): avc: denied { open } for pid=27575 comm="rpc-virtqemud" path="/dev/sev" dev="tmpfs" ino=6 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:sev_device_t:s0 tclass=chr_file permissive=1 Resolves: RHEL-69128
zpytela · Dec 12, 2024 · 204de2b · 204de2b
1 parent a7cd758
commit 204de2b
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
@@ -2214,6 +2214,8 @@ dev_relabel_all_dev_nodes(virtqemud_t)
 dev_rw_kvm(virtqemud_t)
 dev_rw_lvm_control(virtqemud_t)
 dev_rw_vhost(virtqemud_t)
+dev_rw_sev(virtqemud_t)
+dev_setattr_sev(virtqemud_t)
 dev_setattr_urand(virtqemud_t)
 dev_unmount_fs(virtqemud_t)
 

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
@@ -2974,6 +2974,24 @@ interface(`dev_rw_sev',`
 	rw_chr_files_pattern($1, device_t, sev_device_t)
 ')
 
+########################################
+## <summary>
+##	Settattr on sev devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_sev',`
+	gen_require(`
+		type device_t, sev_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, sev_device_t)
+')
+
 ######################################
 ## <summary>
 ##	Read the lirc device.