From a887c9628be19260fbe144215dbdc58ecf1a8758 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Sat, 4 Jan 2020 11:07:12 +0100
Subject: [PATCH] virt: allow more accesses to libvirt_leaseshelper

When using libvirt to manage virtual machines, libvirt_leaseshelper
wants to:

* read /etc/libnl/classid
* list the content of /sys/devices/system/node/ in order to read files
  such as /sys/devices/system/node/node0/meminfo
* use getsched

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
 policy/modules/services/virt.te | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index a76a2181e..7e4df3118 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -1305,6 +1305,8 @@ userdom_use_user_ptys(virt_bridgehelper_t)
 # Leaseshelper local policy
 #
 
+allow virt_leaseshelper_t self:process getsched;
+
 allow virt_leaseshelper_t virtd_t:fd use;
 allow virt_leaseshelper_t virtd_t:fifo_file write_fifo_file_perms;
 
@@ -1317,6 +1319,13 @@ files_pid_filetrans(virt_leaseshelper_t, virt_runtime_t, file)
 
 kernel_dontaudit_read_system_state(virt_leaseshelper_t)
 
+# Read /sys/devices/system/node/node*/meminfo
+dev_list_sysfs(virt_leaseshelper_t)
+dev_read_sysfs(virt_leaseshelper_t)
+
+# Read /etc/libnl/classid
+files_read_etc_files(virt_leaseshelper_t)
+
 ########################################
 #
 # Virtlockd local policy