Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix selinux policy for uds #1015

Merged
merged 2 commits into from
Dec 19, 2024

Conversation

engelmi
Copy link
Member

@engelmi engelmi commented Dec 18, 2024

Updated SELinux policy

Relates to: #997

The SELinux policy for BlueChi did not allow using UDS. Since these where introduces in #997 the policy has been updated to allow the bluechi-controller to create and manage the UDS in /run (or /var/run) and the bluechi-agent to
connect to it.

Fixed creating /run directory

Relates to: #997

The /run directory is being cleaned up on every system boot. If the /run/bluechi directory is only created during RPM install, it is removed on the next system shutdown. Therefore, the tmpfiles.d is being used to ensure that the /run/bluechi directory will be recreated on each boot - similar to /run/podman.

Signed-off-by: Michael Engel [email protected]

@coveralls
Copy link

coveralls commented Dec 18, 2024

Coverage Status

coverage: 80.974%. remained the same
when pulling 7a2c989 on engelmi:fix-selinux-policy-for-uds
into 759f3a4 on eclipse-bluechi:main.

Copy link
Member

@mwperina mwperina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rhatdan
Copy link
Contributor

rhatdan commented Dec 18, 2024

👍

Relates to: eclipse-bluechi#997

The /run directory is being cleaned up on every system boot.
If the /run/bluechi directory is only created during RPM
install, it is removed on the next system shutdown.
Therefore, the tmpfiles.d is being used to ensure that the
/run/bluechi directory will be recreated on each boot - similar
to /run/podman.

Signed-off-by: Michael Engel <[email protected]>
Relates to: eclipse-bluechi#997

The SELinux policy for BlueChi did not allow using UDS. Since these
where introduces in eclipse-bluechi#997
the policy has been updated to allow the bluechi-controller to create
and manage the UDS in /run (or /var/run) and the bluechi-agent to
connect to it.

Signed-off-by: Michael Engel <[email protected]>
@engelmi engelmi force-pushed the fix-selinux-policy-for-uds branch from 59c7bb3 to 7a2c989 Compare December 18, 2024 13:24
@engelmi engelmi merged commit 5f04d6e into eclipse-bluechi:main Dec 19, 2024
22 checks passed
engelmi added a commit to engelmi/qm that referenced this pull request Jan 14, 2025
Fixes: containers#677

Recently, BlueChi enhanced the support for Unix Domain Sockets,
including the respective SELinux policy (see In eclipse-bluechi/bluechi#1015).
On a setup QM + BlueChi it makes sense to mount the UDS of BlueChi into QM
and have the bluechi-agent inside connect to it. This, however, is currently
rejected due to missing SELinux policy rules. Let's add this rule.

Signed-off-by: Michael Engel <[email protected]>
engelmi added a commit to engelmi/qm that referenced this pull request Jan 14, 2025
Fixes: containers#677

Recently, BlueChi enhanced the support for Unix Domain Sockets,
including the respective SELinux policy (see In eclipse-bluechi/bluechi#1015).
On a setup QM + BlueChi it makes sense to mount the UDS of BlueChi into QM
and have the bluechi-agent inside connect to it. This, however, is currently
rejected due to missing SELinux policy rules. Let's add this rule.

Signed-off-by: Michael Engel <[email protected]>
engelmi added a commit to engelmi/qm that referenced this pull request Jan 16, 2025
Fixes: containers#677

Recently, BlueChi enhanced the support for Unix Domain Sockets,
including the respective SELinux policy (see In eclipse-bluechi/bluechi#1015).
On a setup QM + BlueChi it makes sense to mount the UDS of BlueChi into QM
and have the bluechi-agent inside connect to it. This, however, is currently
rejected due to missing SELinux policy rules. Let's add this rule.

Signed-off-by: Michael Engel <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants