SELinux: Add rule for swtpm to be able to read password from pipe

Link: https://bugzilla.redhat.com/show_bug.cgi?id=2334271 Resolves: #964 Signed-off-by: Stefan Berger <[email protected]>
stefanberger · Dec 26, 2024 · dc18890 · dc18890
1 parent 50f441a
commit dc18890
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/src/selinux/swtpm_svirt.te b/src/selinux/swtpm_svirt.te
@@ -25,7 +25,8 @@ allow svirt_t swtpm_exec_t:file entrypoint;
 allow svirt_t user_tmp_t:sock_file { create setattr unlink };
 
 allow svirt_t virtd_t:dir search;
-allow svirt_t virtd_t:fifo_file write;
+# For passing encryption secret via pipe (see https://bugzilla.redhat.com/show_bug.cgi?id=2334271)
+allow svirt_t virtd_t:fifo_file { write read };
 allow svirt_t virtqemud_t:fifo_file write;
 
 # For virt-install (see https://bugzilla.redhat.com/show_bug.cgi?id=2283878 )