From 70a3cec022ae0cd9762c70f023971bdd137f4461 Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.vnet.ibm.com>
Date: Thu, 26 Dec 2024 18:07:21 -0500
Subject: [PATCH] SELinux: Add rule for swtpm to be able to read password from
 pipe

Link: https://bugzilla.redhat.com/show_bug.cgi?id=2334271
Resolves: https://github.com/stefanberger/swtpm/issues/964
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
---
 src/selinux/swtpm_svirt.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/selinux/swtpm_svirt.te b/src/selinux/swtpm_svirt.te
index 424efa73b..4569a7cc4 100644
--- a/src/selinux/swtpm_svirt.te
+++ b/src/selinux/swtpm_svirt.te
@@ -26,7 +26,8 @@ allow svirt_t swtpm_exec_t:file entrypoint;
 allow svirt_t user_tmp_t:sock_file { create setattr unlink };
 
 allow svirt_t virtd_t:dir search;
-allow svirt_t virtd_t:fifo_file write;
+# For passing encryption secret via pipe (see https://bugzilla.redhat.com/show_bug.cgi?id=2334271)
+allow svirt_t virtd_t:fifo_file { write read };
 allow svirt_t virtqemud_t:fifo_file write;
 allow svirt_t virt_var_run_t:dir { write add_name remove_name };
 allow svirt_t virt_var_run_t:file { create write setattr unlink };