From d5b454f56fc8defa9c01b743e619555f911e75d9 Mon Sep 17 00:00:00 2001
From: Michael Engel <mengel@redhat.com>
Date: Tue, 14 Jan 2025 09:53:17 +0100
Subject: [PATCH] Extended SELinux policy to support BlueChi UDS

Fixes: https://github.com/containers/qm/issues/677

Recently, BlueChi enhanced the support for Unix Domain Sockets,
including the respective SELinux policy (see In eclipse-bluechi/bluechi#1015).
On a setup QM + BlueChi it makes sense to mount the UDS of BlueChi into QM
and have the bluechi-agent inside connect to it. This, however, is currently
rejected due to missing SELinux policy rules. Let's add this rule.

Signed-off-by: Michael Engel <mengel@redhat.com>
---
 qm.te | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/qm.te b/qm.te
index b268796b..cda602f0 100644
--- a/qm.te
+++ b/qm.te
@@ -29,3 +29,12 @@ files_pid_filetrans(init_t, ipc_var_run_t, dir, "ipc")
 unconfined_domain(ipc_t)
 
 qm_domain_template(qm)
+
+optional_policy(`
+	require{
+		type bluechi_var_run_t;
+		type bluechi_t;
+	}
+	stream_connect_pattern(qm_t, bluechi_var_run_t, bluechi_var_run_t, bluechi_t)
+	unconfined_server_stream_connectto(qm_t)
+')