Allow systemd-machined read svirt process state

zpytela · zpytela · commit 92e54bfb2af5 · 2025-11-21T17:47:00.000+01:00
As a result of systemd commit 119d332d9c2c [1] ("machine: do not allow unprivileged users to register other users' processes as machines"), additional checks for unprivileged users are now performed in machined. [1] systemd/systemd@119d332 The commit addresses the following AVC denials: type=AVC msg=audit(1761761320.303:568): avc: denied { search } for pid=1490 comm="systemd-machine" name="19272" dev="proc" ino=31558 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:svirt_t:s0:c825,c980 tclass=dir permissive=0 type=AVC msg=audit(1761787546.949:757): avc: denied { open } for pid=1075 comm="systemd-machine" path="/proc/32908/stat" dev="proc" ino=169265 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:svirt_t:s0:c274,c314 tclass=file permissive=0 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2407206
diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if
@@ -2237,6 +2237,25 @@ interface(`virt_virtqemud_read_state',`
 	ps_process_pattern($1, virtqemud_t)
 ')
 
+########################################
+## <summary>
+##	Read the svirt process state.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_svirt_read_state',`
+	gen_require(`
+		type svirt_t;
+	')
+
+	kernel_search_proc($1)
+	ps_process_pattern($1, svirt_t)
+')
+
 ########################################
 ## <summary>
 ##	Execute virsh in the caller domain.
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
@@ -631,6 +631,7 @@ optional_policy(`
 	virt_rw_svirt_dev(systemd_machined_t)
 	virt_getattr_sandbox_filesystem(systemd_machined_t)
 	virt_read_sandbox_files(systemd_machined_t)
+	virt_svirt_read_state(systemd_machined_t)
 ')
 
 #######################################
