Support virt live migration using ssh

Triggered by the following command: virsh -c 'qemu:///system' migrate --live --p2p --verbose --domain hostname --desturi qemu+ssh://\{target}/system Resolves: RHEL-53972
zpytela · Jan 3, 2025 · ad4a541 · ad4a541
1 parent 9304e84
commit ad4a541
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 0 deletions.
diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if
@@ -2141,3 +2141,22 @@ interface(`virt_manage_qemu_pid_sock_files',`
        files_search_pids($1)
        manage_sock_files_pattern($1, qemu_var_run_t, qemu_var_run_t)
 ')
+
+########################################
+## <summary>
+##	Allow the specified domain to ioctl
+##	virtqemud over a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_virtqemud_ioctl_stream_sockets',`
+	gen_require(`
+		type virtqemud_t;
+	')
+
+	allow $1 virtqemud_t:unix_stream_socket ioctl;
+')
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
@@ -2294,6 +2294,7 @@ optional_policy(`
 
 optional_policy(`
 	ssh_domtrans_ssh(virtqemud_t)
+	ssh_signal(virtqemud_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
@@ -266,6 +266,10 @@ optional_policy(`
 	systemd_read_conf_files(ssh_t)
 ')
 
+optional_policy(`
+	virt_virtqemud_ioctl_stream_sockets(ssh_t)
+')
+
 optional_policy(`
 	xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t)
 	xserver_domtrans_xauth(ssh_t)