Extended SELinux policy to support BlueChi UDS

Fixes: containers#677 Recently, BlueChi enhanced the support for Unix Domain Sockets, including the respective SELinux policy (see In eclipse-bluechi/bluechi#1015). On a setup QM + BlueChi it makes sense to mount the UDS of BlueChi into QM and have the bluechi-agent inside connect to it. This, however, is currently rejected due to missing SELinux policy rules. Let's add this rule. Signed-off-by: Michael Engel <[email protected]>
engelmi · Jan 16, 2025 · 6459e7e · 6459e7e
1 parent 73b5a90
commit 6459e7e
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/qm.te b/qm.te
@@ -29,3 +29,12 @@ files_pid_filetrans(init_t, ipc_var_run_t, dir, "ipc")
 unconfined_domain(ipc_t)
 
 qm_domain_template(qm)
+
+optional_policy(`
+	require{
+		type bluechi_var_run_t;
+		type bluechi_t;
+	}
+	stream_connect_pattern(qm_t, bluechi_var_run_t, bluechi_var_run_t, bluechi_t)
+	unconfined_server_stream_connectto(qm_t)
+')
diff --git a/rpm/qm.spec b/rpm/qm.spec
@@ -61,6 +61,7 @@ BuildRequires: git-core
 BuildRequires: pkgconfig(systemd)
 BuildRequires: selinux-policy >= %_selinux_policy_version
 BuildRequires: selinux-policy-devel >= %_selinux_policy_version
+BuildRequires: bluechi-selinux
 
 Requires: iptables
 Requires: parted