Allow staff user dbus chat with virt-dbus

The commit addresses the following USER_AVC denial: type=USER_AVC msg=audit(07/16/2024 00:16:30.862:1117) : pid=804 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virt_dbus_t:s0 tclass=dbus permissive=0 exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' Resolves: RHEL-73914
zpytela · Jan 16, 2025 · 5a6d4c5 · 5a6d4c5
1 parent 8ad55fd
commit 5a6d4c5
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if
@@ -1935,6 +1935,27 @@ interface(`virt_dbus_chat',`
 	ps_process_pattern(virt_driver_domain, $1)
 ')
 
+########################################
+## <summary>
+##	Send and receive messages from
+##	virt-dbus over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_dbus_chat_dbus',`
+	gen_require(`
+		type virt_dbus_t;
+		class dbus send_msg;
+	')
+
+	allow $1 virt_dbus_t:dbus send_msg;
+	allow virt_dbus_t $1:dbus send_msg;
+')
+
 ########################################
 ## <summary>
 ##	Execute a file in a sandbox directory

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
@@ -344,6 +344,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	virt_dbus_chat_dbus(staff_t)
 	virt_getattr_exec(staff_t)
 	virt_search_images(staff_t)
 	virt_stream_connect(staff_t)