SELinuxProject · pebenito · Jul 10, 2025 · Jun 24, 2025 · Jun 24, 2025 · Jun 24, 2025
diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te
@@ -13,6 +13,14 @@ policy_module(qemu)
 ## </desc>
 gen_tunable(qemu_full_network, false)
 
+## <desc>
+##	<p>
+##	Determine whether qemu can be
+##	managed by incus.
+##	</p>
+## </desc>
+gen_tunable(qemu_incus_managed, false)
+
 attribute_role qemu_roles;
 roleattribute system_r qemu_roles;
 
@@ -47,6 +55,35 @@ tunable_policy(`qemu_full_network',`
 	corenet_tcp_connect_all_ports(qemu_t)
 ')
 
+optional_policy(`
+	tunable_policy(`qemu_incus_managed',`
+		incus_stream_connect_daemon(qemu_t)
+
+		files_create_generic_tmp_named_sockets(qemu_t)
+
+		kernel_read_kernel_sysctls(qemu_t)
+		kernel_read_vm_overcommit_sysctl(qemu_t)
+
+		# incus VMs do not start otherwise
+		allow qemu_t self:capability { dac_override dac_read_search setuid setgid };
+		allow qemu_t qemu_tmpfs_t:file mmap_read_file_perms;
+
+		# this is due to incus lack of selinux support for VMs
+		# see https://github.com/lxc/incus/issues/1037
+		kernel_rw_unlabeled_files(qemu_t)
+		kernel_rw_unlabeled_dirs(qemu_t)
+		kernel_manage_unlabeled_symlinks(qemu_t)
+
+		container_manage_engine_tmp_files(qemu_t)
+		container_manage_log_files(qemu_t)
+		container_manage_runtime_files(qemu_t)
+		container_manage_runtime_sock_files(qemu_t)
+	')
+
+	storage_raw_read_fixed_disk_cond(qemu_t, qemu_incus_managed)
+	storage_raw_write_fixed_disk_cond(qemu_t, qemu_incus_managed)
+')
+
 optional_policy(`
 	fs_manage_xenfs_files(qemu_t)
 

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
@@ -144,6 +144,25 @@ interface(`dev_remount_fs',`
 	allow $1 device_t:filesystem remount;
 ')
 
+########################################
+## <summary>
+##	Allow to watch filesystem and to
+##	watch and watch_sb dir.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to allow
+##	</summary>
+## </param>
+interface(`dev_watch_dev_fs',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:filesystem watch;
+	allow $1 device_t:dir { watch watch_sb };
+')
+
 ########################################
 ## <summary>
 ##	Watch the directories in /dev.
@@ -4969,7 +4988,7 @@ interface(`dev_relabel_all_sysfs',`
 #
 interface(`dev_setattr_all_sysfs',`
     gen_require(`
-        attribute sysfs_types;
+	attribute sysfs_types;
     ')
 
     allow $1 sysfs_types:dir { search_dir_perms setattr };
@@ -5007,11 +5026,11 @@ interface(`dev_rw_tpm',`
 ## </param>
 #
 interface(`dev_rw_uhid',`
-        gen_require(`
-                type device_t, uhid_device_t;
-        ')
+	gen_require(`
+		type device_t, uhid_device_t;
+	')
 
-        rw_chr_files_pattern($1, device_t, uhid_device_t)
+	rw_chr_files_pattern($1, device_t, uhid_device_t)
 ')
 
 ########################################

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
@@ -452,6 +452,25 @@ interface(`files_dontaudit_getattr_all_tmpfs_files',`
 	dontaudit $1 tmpfsfile:file getattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to unlink
+##	sockets in tmp_t directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_delete_generic_tmp_named_sockets',`
+	gen_require(`
+		type tmp_t;
+	')
+
+	dontaudit $1 tmp_t:sock_file unlink;
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of all directories.
@@ -4614,8 +4633,7 @@ interface(`files_mmap_read_kernel_modules',`
 	')
 
 	allow $1 modules_object_t:dir list_dir_perms;
-	read_files_pattern($1, modules_object_t, modules_object_t)
-	allow $1 modules_object_t:file map;
+	mmap_read_files_pattern($1, modules_object_t, modules_object_t)
 	read_lnk_files_pattern($1, modules_object_t, modules_object_t)
 ')
 
@@ -7173,7 +7191,7 @@ interface(`files_exec_runtime',`
 
 ########################################
 ## <summary>
-##	Dontaudit attempt to execute generic programs in /var/run in the caller domain.
+##	Dontaudit attempts to execute generic programs in /var/run in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -7515,6 +7533,24 @@ interface(`files_create_all_runtime_pipes',`
 
 ')
 
+########################################
+## <summary>
+##     Create tmp_t sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_create_generic_tmp_named_sockets',`
+        gen_require(`
+                type tmp_t;
+        ')
+
+	create_sock_files_pattern($1, tmp_t, tmp_t)
+')
+
 ########################################
 ## <summary>
 ##     Delete all runtime named pipes
@@ -7684,11 +7720,11 @@ interface(`files_runtime_filetrans_lock_dir',`
 ## </param>
 #
 interface(`files_create_all_spool_sockets',`
-        gen_require(`
-                attribute spoolfile;
-        ')
+	gen_require(`
+		attribute spoolfile;
+	')
 
-        allow $1 spoolfile:sock_file create_sock_file_perms;
+	allow $1 spoolfile:sock_file create_sock_file_perms;
 ')
 
 ########################################
@@ -7702,11 +7738,11 @@ interface(`files_create_all_spool_sockets',`
 ## </param>
 #
 interface(`files_delete_all_spool_sockets',`
-        gen_require(`
-                attribute spoolfile;
-        ')
+	gen_require(`
+		attribute spoolfile;
+	')
 
-        allow $1 spoolfile:sock_file delete_sock_file_perms;
+	allow $1 spoolfile:sock_file delete_sock_file_perms;
 ')
 
 ########################################