Add support for vsomeip3 selinux policy

Signed-off-by: Daniel J Walsh <[email protected]> Signed-off-by: Douglas Schilling Landgraf <[email protected]> Signed-off-by: Yariv Rachmani <[email protected]>
containers · Jan 17, 2024 · d2e1843 · d2e1843
1 parent 52bac61
commit d2e1843
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 2 deletions.
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-0.6.0
+0.6.1
diff --git a/qm.if b/qm.if
@@ -55,6 +55,7 @@ template(`qm_domain_template',`
 	container_read_share_files($1_t)
 	container_exec_share_files($1_t)
 	allow $1_t container_ro_file_t:file execmod;
+	allow $1_container_t $1_file_type:chr_file { rw_inherited_file_perms };
 
 	attribute $1_file_type;
 	allow $1_file_type self:filesystem associate;
@@ -260,6 +261,7 @@ template(`qm_domain_template',`
 	kernel_rw_unix_sysctls($1_t)
 	kernel_rw_vm_sysctls($1_t)
 	kernel_rw_usermodehelper_state($1_t)
+	kernel_rw_vm_sysctls($1_t)
 	kernel_search_debugfs($1_t)
 	dontaudit $1_t proc_security_t:file write;
 	allow $1_t filesystem_type:filesystem { mount remount unmount };
@@ -468,6 +470,9 @@ template(`qm_domain_template',`
 	allow unconfined_domain_type $1_container_domain:process2 { nnp_transition nosuid_transition };
 	allow unconfined_service_t $1_container_domain:process dyntransition;
 
+	dev_getattr_all($1_container_domain)
+	dev_list_sysfs($1_container_domain)
+	dev_dontaudit_mounton_sysfs($1_container_domain)
 	domain_dontaudit_link_all_domains_keyrings($1_container_domain)
 	domain_dontaudit_search_all_domains_keyrings($1_container_domain)
 	domain_dontaudit_search_all_domains_state($1_container_domain)
@@ -555,4 +560,9 @@ template(`qm_domain_template',`
 
 	userdom_rw_inherited_user_pipes($1_container_domain)
 	userdom_use_user_ptys($1_container_domain)
+
+	optional_policy(`
+		vsomeip_use($1_t)
+		vsomeip_use($1_container_domain)
+	')
 ')
diff --git a/qm.te b/qm.te
@@ -1,3 +1,3 @@
-policy_module(qm, 0.6.0)
+policy_module(qm, 0.6.1)
 
 qm_domain_template(qm)
diff --git a/rpm/qm.spec b/rpm/qm.spec
@@ -59,6 +59,7 @@ BuildArch: noarch
 BuildRequires: golang-github-cpuguy83-md2man
 BuildRequires: container-selinux
 BuildRequires: make
+BuildRequires: vsomeip3-selinux
 BuildRequires: git-core
 BuildRequires: pkgconfig(systemd)
 BuildRequires: selinux-policy >= %_selinux_policy_version