Stefano Brivio 87471731e6 selinux: Fixes/workarounds for passt and passt-repair, mostly for libvirt usage ... Here are a bunch of workarounds and a couple of fixes for libvirt usage which are rather hard to split into single logical patches as there appear to be some obscure dependencies between some of them: - passt-repair needs to have an exec_type typeattribute (otherwise the policy for lsmd(1) causes a violation on getattr on its executable) file, and that typeattribute just happened to be there for passt as a result of init_daemon_domain(), but passt-repair isn't a daemon, so we need an explicit corecmd_executable_file() - passt-repair needs a workaround, which I'll revisit once https://github.com/fedora-selinux/selinux-policy/issues/2579 is solved, for usage with libvirt: allow it to use qemu_var_run_t and virt_var_run_t sockets - add 'bpf' and 'dac_read_search' capabilities for passt-repair: they are needed (for whatever reason I didn't investigate) to actually receive socket files via SCM_RIGHTS - passt needs further workarounds in the sense of https://github.com/fedora-selinux/selinux-policy/issues/2579: allow it to use map and use svirt_tmpfs_t (not just svirt_image_t): it depends on where the libvirt guest image is - ...it also needs to map /dev/null if <access mode='shared'/> is enabled in libvirt's XML for the memoryBacking object, for vhost-user operation - and 'ioctl' on the TCP socket appears to be actually needed, on top of 'getattr', to dump some socket parameters Signed-off-by: Stefano Brivio <sbrivio@redhat.com>		2025-02-28 01:14:01 +01:00
..
apparmor	apparmor: Workaround for unconfined libvirtd when triggered by unprivileged user	2025-02-06 09:43:09 +01:00
fedora	contrib/fedora: Actually install passt-repair SELinux policy file	2025-02-19 23:33:53 +01:00
kata-containers	Don't abbreviate ip(8) arguments in examples and tests	2022-06-15 09:38:10 +02:00
selinux	selinux: Fixes/workarounds for passt and passt-repair, mostly for libvirt usage	2025-02-28 01:14:01 +01:00