From d53d4e6812313628daef2a3a9322a72a9366e793 Mon Sep 17 00:00:00 2001
From: Johannes Segitz <jsegitz@suse.de>
Date: Fri, 14 Nov 2025 08:51:16 +0100
Subject: [PATCH] Allow virtqemud_t to read state of unconfined services
 (bsc#1251789)

When libvirt is used from unconfined services you see denials like
avc:  denied  { search } for comm="rpc-virtqemud" name="78700" dev="proc" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir permissive=1
avc:  denied  { read } for comm="rpc-virtqemud" name="stat" dev="proc" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1
avc:  denied  { open } for comm="rpc-virtqemud" path="/proc/78700/stat" dev="proc" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1
---
 policy/modules/contrib/virt.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 394a80b860..c76efdf878 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -2413,6 +2413,10 @@ optional_policy(`
 	systemd_homed_stream_connect(virtqemud_t)
 ')
 
+optional_policy(`
+	unconfined_server_read_state(virtqemud_t)
+')
+
 optional_policy(`
 	userdom_manage_tmp_files(virtqemud_t)
 	userdom_manage_tmp_sockets(virtqemud_t)