From 73b5a9062dbd898d527649cd9d5747aedf67fd89 Mon Sep 17 00:00:00 2001
From: Michael Engel <mengel@redhat.com>
Date: Tue, 14 Jan 2025 09:50:35 +0100
Subject: [PATCH 1/2] Removed bluechi-agent dependency in QM

Signed-off-by: Michael Engel <mengel@redhat.com>
---
 rpm/qm.spec | 1 -
 1 file changed, 1 deletion(-)

diff --git a/rpm/qm.spec b/rpm/qm.spec
index dc5e2fa7..a47faa90 100644
--- a/rpm/qm.spec
+++ b/rpm/qm.spec
@@ -71,7 +71,6 @@ Requires(post): selinux-policy-targeted >= %_selinux_policy_version
 Requires(post): policycoreutils
 Requires(post): libselinux-utils
 Requires: podman >= %{podman_epoch}:4.5
-Requires: bluechi-agent
 Requires: jq
 
 %description

From 6459e7eca885f34ffaac5f2d2106814bde994a77 Mon Sep 17 00:00:00 2001
From: Michael Engel <mengel@redhat.com>
Date: Tue, 14 Jan 2025 09:53:17 +0100
Subject: [PATCH 2/2] Extended SELinux policy to support BlueChi UDS

Fixes: https://github.com/containers/qm/issues/677

Recently, BlueChi enhanced the support for Unix Domain Sockets,
including the respective SELinux policy (see In eclipse-bluechi/bluechi#1015).
On a setup QM + BlueChi it makes sense to mount the UDS of BlueChi into QM
and have the bluechi-agent inside connect to it. This, however, is currently
rejected due to missing SELinux policy rules. Let's add this rule.

Signed-off-by: Michael Engel <mengel@redhat.com>
---
 qm.te       | 9 +++++++++
 rpm/qm.spec | 1 +
 2 files changed, 10 insertions(+)

diff --git a/qm.te b/qm.te
index b268796b..cda602f0 100644
--- a/qm.te
+++ b/qm.te
@@ -29,3 +29,12 @@ files_pid_filetrans(init_t, ipc_var_run_t, dir, "ipc")
 unconfined_domain(ipc_t)
 
 qm_domain_template(qm)
+
+optional_policy(`
+	require{
+		type bluechi_var_run_t;
+		type bluechi_t;
+	}
+	stream_connect_pattern(qm_t, bluechi_var_run_t, bluechi_var_run_t, bluechi_t)
+	unconfined_server_stream_connectto(qm_t)
+')
diff --git a/rpm/qm.spec b/rpm/qm.spec
index a47faa90..549a19bb 100644
--- a/rpm/qm.spec
+++ b/rpm/qm.spec
@@ -61,6 +61,7 @@ BuildRequires: git-core
 BuildRequires: pkgconfig(systemd)
 BuildRequires: selinux-policy >= %_selinux_policy_version
 BuildRequires: selinux-policy-devel >= %_selinux_policy_version
+BuildRequires: bluechi-selinux
 
 Requires: iptables
 Requires: parted