SELinux policy for QM + BlueChi

[engelmi]

In the context of eclipse-bluechi/bluechi#997, the support for Unix Domain Sockets in BlueChi has been enhanced. This also included the respective SELinux policy (see In eclipse-bluechi/bluechi#1015). On a setup QM + BlueChi it makes sense to mount the UDS of BlueChi into QM and have the bluechi-agent inside connect to it. This, however, is currently rejected due to missing SELinux policy rules.
In this thread eclipse-bluechi/bluechi#1015 (comment) some approaches were briefly discussed on how to solve this. Since BlueChi might be used inside QM and BlueChi doesn't know anything about QM, I think it would make sense extend QMs SELinux policy.

[Yarboa]

UDS are allowed on specific directory
We can verify it again
Please take a look here #469
Domain socket directory should be here
/run/ipc-demo/ipc.socket
Already tried it in the past
/var/run/ipc/controller.sock

Please search for that policy
...File context for ipc programs
/usr/bin/ipc-demo gen_context(system_u:object_r:ipc_exec_t,s0)
/var/run/ipc-demo(/.)? gen_context(system_u:object_r:ipc_var_run_t,s0)
/var/run/ipc(/.)? gen_context(system_u:object_r:ipc_var_run_t,s0)

@engelmi I think Bluechi could use the /var/run/ipc
Please refer this
https://docs.podman.io/en/v5.1.1/markdown/podman-run.1.html