From d2e18436d0dfdd30f5edb382113f77144dd0ef7f Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Mon, 13 Nov 2023 10:17:14 -0500
Subject: [PATCH] Add support for vsomeip3 selinux policy

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Signed-off-by: Douglas Schilling Landgraf <dougsland@redhat.com>
Signed-off-by: Yariv Rachmani <yrachman@redhat.com>
---
 VERSION     |  2 +-
 qm.if       | 10 ++++++++++
 qm.te       |  2 +-
 rpm/qm.spec |  1 +
 4 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/VERSION b/VERSION
index a918a2aa..ee6cdce3 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-0.6.0
+0.6.1
diff --git a/qm.if b/qm.if
index e14680a3..0d458c97 100644
--- a/qm.if
+++ b/qm.if
@@ -55,6 +55,7 @@ template(`qm_domain_template',`
 	container_read_share_files($1_t)
 	container_exec_share_files($1_t)
 	allow $1_t container_ro_file_t:file execmod;
+	allow $1_container_t $1_file_type:chr_file { rw_inherited_file_perms };
 
 	attribute $1_file_type;
 	allow $1_file_type self:filesystem associate;
@@ -260,6 +261,7 @@ template(`qm_domain_template',`
 	kernel_rw_unix_sysctls($1_t)
 	kernel_rw_vm_sysctls($1_t)
 	kernel_rw_usermodehelper_state($1_t)
+	kernel_rw_vm_sysctls($1_t)
 	kernel_search_debugfs($1_t)
 	dontaudit $1_t proc_security_t:file write;
 	allow $1_t filesystem_type:filesystem { mount remount unmount };
@@ -468,6 +470,9 @@ template(`qm_domain_template',`
 	allow unconfined_domain_type $1_container_domain:process2 { nnp_transition nosuid_transition };
 	allow unconfined_service_t $1_container_domain:process dyntransition;
 
+	dev_getattr_all($1_container_domain)
+	dev_list_sysfs($1_container_domain)
+	dev_dontaudit_mounton_sysfs($1_container_domain)
 	domain_dontaudit_link_all_domains_keyrings($1_container_domain)
 	domain_dontaudit_search_all_domains_keyrings($1_container_domain)
 	domain_dontaudit_search_all_domains_state($1_container_domain)
@@ -555,4 +560,9 @@ template(`qm_domain_template',`
 
 	userdom_rw_inherited_user_pipes($1_container_domain)
 	userdom_use_user_ptys($1_container_domain)
+
+	optional_policy(`
+		vsomeip_use($1_t)
+		vsomeip_use($1_container_domain)
+	')
 ')
diff --git a/qm.te b/qm.te
index f1e010df..9ab774a5 100644
--- a/qm.te
+++ b/qm.te
@@ -1,3 +1,3 @@
-policy_module(qm, 0.6.0)
+policy_module(qm, 0.6.1)
 
 qm_domain_template(qm)
diff --git a/rpm/qm.spec b/rpm/qm.spec
index 410fc853..ce3ef356 100644
--- a/rpm/qm.spec
+++ b/rpm/qm.spec
@@ -59,6 +59,7 @@ BuildArch: noarch
 BuildRequires: golang-github-cpuguy83-md2man
 BuildRequires: container-selinux
 BuildRequires: make
+BuildRequires: vsomeip3-selinux
 BuildRequires: git-core
 BuildRequires: pkgconfig(systemd)
 BuildRequires: selinux-policy >= %_selinux_policy_version