From 59c7bb38a912f1906cf1e1f52342dcd236b72e18 Mon Sep 17 00:00:00 2001
From: Michael Engel <mengel@redhat.com>
Date: Tue, 17 Dec 2024 17:34:59 +0100
Subject: [PATCH] Updated SELinux policy

Relates to: https://github.com/eclipse-bluechi/bluechi/issues/997

The SELinux policy for BlueChi did not allow using UDS. Since these
where introduces in https://github.com/eclipse-bluechi/bluechi/issues/997
the policy has been updated to allow the bluechi-controller to create
and manage the UDS in /run (or /var/run) and the bluechi-agent to
connect to it.

Signed-off-by: Michael Engel <mengel@redhat.com>
---
 bluechi.spec.in    |  4 ++++
 selinux/bluechi.fc |  2 ++
 selinux/bluechi.te | 25 ++++++++++++++++++++++---
 3 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/bluechi.spec.in b/bluechi.spec.in
index 4fbcc67190..9bff67825e 100644
--- a/bluechi.spec.in
+++ b/bluechi.spec.in
@@ -187,11 +187,15 @@ if [ $1 -eq 1 ]; then
 fi
 %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/bluechi.pp.bz2
 restorecon -R %{_bindir}/bluechi* &> /dev/null || :
+restorecon -R %{_rundir}/bluechi/ &> /dev/null || :
+restorecon -R %{_localstatedir}/%{_rundir}/bluechi/ &> /dev/null || :
 
 %postun selinux
 if [ $1 -eq 0 ]; then
    %selinux_modules_uninstall -s %{selinuxtype} bluechi
    restorecon -R %{_bindir}/bluechi* &> /dev/null || :
+   restorecon -R %{_rundir}/bluechi/ &> /dev/null || :
+   restorecon -R %{_localstatedir}/%{_rundir}/bluechi/ &> /dev/null || :
 fi
 
 
diff --git a/selinux/bluechi.fc b/selinux/bluechi.fc
index 4efb4984cd..ff522dfe60 100644
--- a/selinux/bluechi.fc
+++ b/selinux/bluechi.fc
@@ -4,3 +4,5 @@
 /usr/bin/bluechi-agent	--	gen_context(system_u:object_r:bluechi_agent_exec_t,s0)
 /usr/libexec/bluechi-agent	--	gen_context(system_u:object_r:bluechi_agent_exec_t,s0)
 
+/run/bluechi(/.*)?		gen_context(system_u:object_r:bluechi_var_run_t,s0)
+/var/run/bluechi(/.*)?		gen_context(system_u:object_r:bluechi_var_run_t,s0)
diff --git a/selinux/bluechi.te b/selinux/bluechi.te
index c4ad533663..51def03dbd 100644
--- a/selinux/bluechi.te
+++ b/selinux/bluechi.te
@@ -25,6 +25,7 @@ corenet_port(bluechi_port_t)
 type bluechi_agent_port_t;
 corenet_port(bluechi_agent_port_t)
 
+
 ########################################
 #
 # bluechi local policy
@@ -57,7 +58,7 @@ kernel_dgram_send(bluechi_t)
 logging_send_syslog_msg(bluechi_t)
 logging_read_syslog_pid(bluechi_t)
 
-allow haproxy_t bluechi_t:unix_stream_socket connectto;
+unconfined_dbus_chat(bluechi_t)
 
 ########################################
 #
@@ -98,6 +99,26 @@ dbus_system_bus_client(bluechi_agent_t)
 
 init_status(bluechi_agent_t)
 
+
+########################################
+#
+# bluechi policy for unix domain sockets
+#
+type bluechi_var_run_t;
+files_pid_file(bluechi_var_run_t)
+init_sock_file(bluechi_var_run_t)
+mls_trusted_object(bluechi_var_run_t)
+
+manage_sock_files_pattern(bluechi_t, bluechi_var_run_t, bluechi_var_run_t)
+stream_connect_pattern(bluechi_agent_t, bluechi_var_run_t, bluechi_var_run_t, bluechi_t)
+unconfined_server_stream_connectto(bluechi_agent_t)
+
+########################################
+#
+# bluechi policy with haproxy
+#
+allow haproxy_t bluechi_t:unix_stream_socket connectto;
+
 rhcs_stream_connect_haproxy(bluechi_agent_t)
 
 gen_require(`
@@ -109,5 +130,3 @@ stream_connect_pattern(bluechi_agent_t, haproxy_var_lib_t, haproxy_var_lib_t, ha
 
 manage_sock_files_pattern(init_t, haproxy_var_lib_t, haproxy_var_lib_t)
 manage_sock_files_pattern(init_t, haproxy_var_run_t, haproxy_var_run_t)
-
-unconfined_dbus_chat(bluechi_t)