From 6459e7eca885f34ffaac5f2d2106814bde994a77 Mon Sep 17 00:00:00 2001
From: Michael Engel <mengel@redhat.com>
Date: Tue, 14 Jan 2025 09:53:17 +0100
Subject: [PATCH] Extended SELinux policy to support BlueChi UDS

Fixes: https://github.com/containers/qm/issues/677

Recently, BlueChi enhanced the support for Unix Domain Sockets,
including the respective SELinux policy (see In eclipse-bluechi/bluechi#1015).
On a setup QM + BlueChi it makes sense to mount the UDS of BlueChi into QM
and have the bluechi-agent inside connect to it. This, however, is currently
rejected due to missing SELinux policy rules. Let's add this rule.

Signed-off-by: Michael Engel <mengel@redhat.com>
---
 qm.te       | 9 +++++++++
 rpm/qm.spec | 1 +
 2 files changed, 10 insertions(+)

diff --git a/qm.te b/qm.te
index b268796b..cda602f0 100644
--- a/qm.te
+++ b/qm.te
@@ -29,3 +29,12 @@ files_pid_filetrans(init_t, ipc_var_run_t, dir, "ipc")
 unconfined_domain(ipc_t)
 
 qm_domain_template(qm)
+
+optional_policy(`
+	require{
+		type bluechi_var_run_t;
+		type bluechi_t;
+	}
+	stream_connect_pattern(qm_t, bluechi_var_run_t, bluechi_var_run_t, bluechi_t)
+	unconfined_server_stream_connectto(qm_t)
+')
diff --git a/rpm/qm.spec b/rpm/qm.spec
index a47faa90..549a19bb 100644
--- a/rpm/qm.spec
+++ b/rpm/qm.spec
@@ -61,6 +61,7 @@ BuildRequires: git-core
 BuildRequires: pkgconfig(systemd)
 BuildRequires: selinux-policy >= %_selinux_policy_version
 BuildRequires: selinux-policy-devel >= %_selinux_policy_version
+BuildRequires: bluechi-selinux
 
 Requires: iptables
 Requires: parted