From d5d9c71ccab3c099b8bc4d075131ec25972b8180 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Tue, 1 Aug 2023 17:19:16 +0200 Subject: [PATCH] Allow openconnect vpn read/write inherited vhost net device OpenConnect, running in the vpnc_t domain, uses the vhost-net device for tun acceleration to make the tun device's io_uring accessible. There is no virtualization feature used in this concept. Resolves: rhbz#2221507 --- policy/modules/contrib/vpn.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/contrib/vpn.te b/policy/modules/contrib/vpn.te index e434963e86..00e7cf81e5 100644 --- a/policy/modules/contrib/vpn.te +++ b/policy/modules/contrib/vpn.te @@ -75,6 +75,7 @@ corenet_rw_tun_tap_dev(vpnc_t) dev_read_rand(vpnc_t) dev_read_urand(vpnc_t) dev_read_sysfs(vpnc_t) +dev_rw_inherited_vhost(vpnc_t) domain_use_interactive_fds(vpnc_t)