feat: update kvmfr selinux type enforcement rules & give qemu/libvirt…

… access to read ISO files from users home directory when enabling virtualization (#2111)

* feat: update selinux type enforcement for kvmfr
existing setups not affected, if they complain about it appearing in the logs, all they have to do is just re-run the ujust for kvmfr

* fix: let qemu/libvirt access ISO files from users home directory when enabling virtualization

system_files/desktop/shared/usr/share/ublue-os/just/84-bazzite-virt.just

@@ -55,6 +55,8 @@ setup-virtualization ACTION="":
             sudo mkdir /var/lib/swtpm-localca
           fi
           sudo chown tss /var/lib/swtpm-localca
+          echo "Giving qemu access to read ISO files from $HOME"
+          sudo setfacl -m u:qemu:rx $HOME
           if sudo test ! -f "/etc/libvirt/hooks/qemu"; then
             echo "Adding libvirt qemu hooks"
             sudo wget 'https://raw.githubusercontent.com/PassthroughPOST/VFIO-Tools/master/libvirt_hooks/qemu' -O /etc/libvirt/hooks/qemu
@@ -229,6 +231,10 @@ setup-virtualization ACTION="":
       if [ ! -d "$HOME/.config/selinux_te/pp" ]; then
         mkdir -p "$HOME/.config/selinux_te/pp"
       fi
+      if [ -f "$HOME/.config/selinux_te/kvmfr.te" ]; then
+        echo "Re-creating kvmfr selinux type enforcement rules"
+        rm $HOME/.config/selinux_te/kvmfr.te
+      fi
       bash -c "cat << KVMFR_SELINUX > $HOME/.config/selinux_te/kvmfr.te
     module kvmfr 1.0;
 
@@ -240,6 +246,9 @@ setup-virtualization ACTION="":
 
     #============= svirt_t ==============
     allow svirt_t device_t:chr_file { open read write map };
+
+    #============= virtqemud_t ==============
+    allow virtqemud_t device_t:chr_file { read write };
     KVMFR_SELINUX"
       echo "This is the type enforcement we wrote for SELinux and you can find it in $HOME/.config/selinux_te/kvmfr.te"
       echo "#======= start of kvmfr.te ======="