@@ -14,4 +14,5 @@ include refpolicy_${PV}.inc
SRC_URI += " \
file://0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch \
+ file://0078-virt-label-libvirt-hook-scripts-with-dedicated-exec.patch \
"
new file mode 100644
@@ -0,0 +1,74 @@
+From 2edbd77f1f6aa720a9ed48f27f9dca43b8935261 Mon Sep 17 00:00:00 2001
+From: Abhilasha Manna <amanna@qti.qualcomm.com>
+Date: Wed, 18 Mar 2026 10:53:58 +0530
+Subject: [PATCH] virt: label libvirt hook scripts with dedicated exec type
+
+Hook scripts under /etc/libvirt/hooks/ are executable files
+invoked by libvirtd on lifecycle events. Their current label
+virt_etc_rw_t does not permit execute, causing AVC denials.
+
+Introduce virt_script_exec_t for hook scripts, add the
+virt_exec_script() interface, and update file_contexts to
+label /etc/libvirt/hooks(/.*)? accordingly.
+
+Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/pull/1095/changes/e393fdc3c3943b27d9808311e92c14af68345f29]
+
+Signed-off-by: Abhilasha Manna <amanna@qti.qualcomm.com>
+---
+ policy/modules/services/virt.fc | 2 ++
+ policy/modules/services/virt.if | 18 ++++++++++++++++++
+ policy/modules/services/virt.te | 5 +++++
+ 3 files changed, 25 insertions(+)
+
+diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
+index 1441a50dc..eb72de5be 100644
+--- a/policy/modules/services/virt.fc
++++ b/policy/modules/services/virt.fc
+@@ -72,3 +72,5 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
+ /run/user/[^/]*/libguestfs(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
+ /run/vdsm(/.*)? gen_context(system_u:object_r:virt_runtime_t,s0)
+ /run/virtlockd\.pid -- gen_context(system_u:object_r:virtlockd_run_t,s0)
++
++/etc/libvirt/hooks(/.*)? -- system_u:object_r:virt_script_exec_t:s0
+diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
+index 9b28d670e..272034f0d 100644
+--- a/policy/modules/services/virt.if
++++ b/policy/modules/services/virt.if
+@@ -1274,3 +1274,21 @@ interface(`virt_admin',`
+ dev_list_all_dev_nodes($1)
+ allow $1 virt_ptynode:chr_file rw_term_perms;
+ ')
++
++########################################
++## <summary>
++## Execute virt hook scripts.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to execute virt hook scripts.
++## </summary>
++## </param>
++#
++interface(`virt_exec_script',`
++ gen_require(`
++ type virt_script_exec_t;
++ ')
++ files_search_etc($1)
++ allow $1 virt_script_exec_t:file exec_file_perms;
++')
+diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
+index b0bd0a8d4..50028f615 100644
+--- a/policy/modules/services/virt.te
++++ b/policy/modules/services/virt.te
+@@ -1257,3 +1257,8 @@ sysnet_dns_name_resolve(virtlogd_t)
+
+ virt_manage_log(virtlogd_t)
+ virt_read_config(virtlogd_t)
++
++type virt_script_exec_t;
++files_type(virt_script_exec_t)
++
++virt_exec_script(virtd_t)
+--
+2.43.0
+
Backport upstream SELinux refpolicy change from: https://github.com/SELinuxProject/refpolicy/pull/1095/changes/e393fdc3c3943b27d9808311e92c14af68345f29 This change is required to keep meta-selinux in sync with upstream refpolicy and to fix issues observed when building or running SELinux-enabled images. No functional changes beyond the upstream fix. Signed-off-by: Abhilasha Manna <amanna@qti.qualcomm.com> --- .../refpolicy/refpolicy-targeted_git.bb | 1 + ...irt-hook-scripts-with-dedicated-exec.patch | 74 +++++++++++++++++++ 2 files changed, 75 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy/0078-virt-label-libvirt-hook-scripts-with-dedicated-exec.patch