Allow virt_domain to use pulseaudio - conditional

Introduce a new conditional virt_use_pulseaudio which allows virtual guests to use pulseaudio. The boolean is disabled by default, because it is unlikely for qemu:///system mode of libvirt to need this functionality (this is intended for qemu:///session mode of libvirt). Resolves: RHEL-62763
fedora-selinux · Jan 29, 2025 · e73b7b4 · e73b7b4
1 parent ca641a1
commit e73b7b4
Showing 1 changed file with 15 additions and 1 deletion.
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
@@ -112,8 +112,14 @@ gen_tunable(virt_use_pcscd, false)
 
 ## <desc>
 ## <p>
-## Allow sandbox containers to send audit messages
+## Allow confined virtual guests to use pulseaudio
+## </p>
+## </desc>
+gen_tunable(virt_use_pulseaudio, false)
 
+## <desc>
+## <p>
+## Allow sandbox containers to send audit messages
 ## </p>
 ## </desc>
 gen_tunable(virt_sandbox_use_audit, true)
@@ -1254,6 +1260,14 @@ optional_policy(`
 	')
 ')
 
+optional_policy(`
+	tunable_policy(`virt_use_pulseaudio',`
+		pulseaudio_read_home_files(virt_domain)
+		unconfined_stream_connect(virt_domain)
+		userdom_stream_connect(virt_domain)
+	')
+')
+
 optional_policy(`
 	alsa_read_rw_config(virt_domain)
 ')