SELinux: Add rule for swtpm to be able to read password from pipe

Link: https://bugzilla.redhat.com/show_bug.cgi?id=2334271 Resolves: #964 Signed-off-by: Stefan Berger <[email protected]>
stefanberger · Dec 26, 2024 · e9dc3d0 · e9dc3d0
1 parent 5344c0a
commit e9dc3d0
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/src/selinux/swtpm_svirt.te b/src/selinux/swtpm_svirt.te
@@ -26,7 +26,8 @@ allow svirt_t swtpm_exec_t:file entrypoint;
 allow svirt_t user_tmp_t:sock_file { create setattr unlink };
 
 allow svirt_t virtd_t:dir search;
-allow svirt_t virtd_t:fifo_file write;
+# For passing encryption secret via pipe (see https://bugzilla.redhat.com/show_bug.cgi?id=2334271)
+allow svirt_t virtd_t:fifo_file { write read };
 allow svirt_t virtqemud_t:fifo_file write;
 allow svirt_t virt_var_run_t:dir { write add_name remove_name };
 allow svirt_t virt_var_run_t:file { create write setattr unlink };