Skip to content

Commit

Permalink
Extended SELinux policy to support BlueChi UDS
Browse files Browse the repository at this point in the history 
Fixes: containers#677

Recently, BlueChi enhanced the support for Unix Domain Sockets,
including the respective SELinux policy (see In eclipse-bluechi/bluechi#1015).
On a setup QM + BlueChi it makes sense to mount the UDS of BlueChi into QM
and have the bluechi-agent inside connect to it. This, however, is currently
rejected due to missing SELinux policy rules. Let's add this rule.

Signed-off-by: Michael Engel <[email protected]>
  • Loading branch information
@engelmi
engelmi committed Jan 14, 2025
1 parent 24e17dd commit d5b454f
Showing 1 changed file with 9 additions and 0 deletions.
9 changes: 9 additions & 0 deletions qm.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,3 +29,12 @@ files_pid_filetrans(init_t, ipc_var_run_t, dir, "ipc")
unconfined_domain(ipc_t)

qm_domain_template(qm)

optional_policy(`
require{
type bluechi_var_run_t;
type bluechi_t;
}
stream_connect_pattern(qm_t, bluechi_var_run_t, bluechi_var_run_t, bluechi_t)
unconfined_server_stream_connectto(qm_t)
')

0 comments on commit d5b454f

Please sign in to comment.