qm.if: add dbus socket rules

Add SELinux rules to allow a dbus-broker container to create a QM-specific dbus socket at the `/run/dbus/` directory. Signed-off-by: Albert Esteve <[email protected]>
containers · Jul 8, 2024 · 72a12c5 · 72a12c5
1 parent 64c9bc7
commit 72a12c5
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/qm.if b/qm.if
@@ -39,12 +39,14 @@ template(`qm_domain_template',`
 		type sysctl_irq_t;
 		type sysctl_t;
 		type system_dbusd_t;
+		type systemd_hostnamed_t;
 		type systemd_logind_t;
 		type systemd_machined_t;
 		type unconfined_service_t;
 		type bpf_t;
 		type container_devpts_t;
 		type net_conf_t;
+		type getty_t;
 	')
 
 	type $1_t;
@@ -397,11 +399,15 @@ template(`qm_domain_template',`
 
 	qm_container_template($1, wayland)
 
-	allow $1_container_wayland_t $1_file_t:dir { add_name write };
+	allow $1_container_wayland_t $1_file_t:dir { add_name write watch };
 	allow $1_container_wayland_t $1_file_t:file { create write };
 	allow $1_container_wayland_t $1_file_t:sock_file { create write };
+	allow $1_container_wayland_t $1_t:unix_stream_socket connectto;
 	dev_read_sysfs($1_container_wayland_t)
 
+	allow getty_t $1_file_type:chr_file { read write };
+	systemd_dbus_chat_hostnamed(systemd_hostnamed_t)
+
 	read_files_pattern($1_container_domain, $1_container_ro_file_t,$1_container_ro_file_t)
 	read_lnk_files_pattern($1_container_domain, $1_container_ro_file_t,$1_container_ro_file_t)
 	list_dirs_pattern($1_container_domain, $1_container_ro_file_t,$1_container_ro_file_t)