From cfe93d90b6a89ae37d5b945c89143973cf18cc90 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Mon, 20 Jan 2025 13:00:14 +0400
Subject: [PATCH] SELinux: add NFS permissions for swtpm_t
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

swtpm fails with a NFS mount. `setsebool virt_use_nfs on` should fix it.

Resolves: https://issues.redhat.com/browse/RHEL-73809

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
---
 src/selinux/swtpm.te | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/selinux/swtpm.te b/src/selinux/swtpm.te
index 668a1c23..9228648d 100644
--- a/src/selinux/swtpm.te
+++ b/src/selinux/swtpm.te
@@ -13,6 +13,7 @@ require {
 	type virtqemud_t;
 	type virtqemud_tmp_t;
 	class file map;
+	tunable virt_use_nfs;
 }
 
 attribute_role swtpm_roles;
@@ -45,3 +46,10 @@ files_read_etc_files(swtpm_t)
 auth_use_nsswitch(swtpm_t)
 
 miscfiles_read_localization(swtpm_t)
+
+tunable_policy(`virt_use_nfs',`
+	fs_manage_nfs_dirs(swtpm_t)
+	fs_manage_nfs_files(swtpm_t)
+	fs_read_nfs_symlinks(swtpm_t)
+	fs_mmap_nfs_files(swtpm_t)
+')