From e77b8d2934e6ab9235c7843a483fe831ca8b9b37 Mon Sep 17 00:00:00 2001
From: Trevor Batley <trevor@batley.id.au>
Date: Fri, 27 Sep 2024 17:12:56 +1000
Subject: [PATCH] selinux policy

---
 selinux/README.md    |  1 +
 selinux/koji-sign.te | 22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+)
 create mode 100644 selinux/README.md
 create mode 100644 selinux/koji-sign.te

diff --git a/selinux/README.md b/selinux/README.md
new file mode 100644
index 0000000..6303b85
--- /dev/null
+++ b/selinux/README.md
@@ -0,0 +1 @@
+selinux policy to allow signing of rpms via sign plugin
diff --git a/selinux/koji-sign.te b/selinux/koji-sign.te
new file mode 100644
index 0000000..8c99589
--- /dev/null
+++ b/selinux/koji-sign.te
@@ -0,0 +1,22 @@
+
+module koji-sign 1.0;
+
+require {
+	type etc_t;
+	type devpts_t;
+	type httpd_t;
+	type ptmx_t;
+	class chr_file { getattr ioctl open read write };
+	class dir { add_name remove_name setattr write };
+	class file { create link unlink write };
+	class sock_file { create getattr setattr unlink write };
+}
+
+#============= httpd_t ==============
+
+#!!!! This avc is allowed in the current policy
+allow httpd_t devpts_t:chr_file open;
+allow httpd_t ptmx_t:chr_file { getattr ioctl open read write };
+allow httpd_t etc_t:dir { add_name remove_name setattr write };
+allow httpd_t etc_t:file { create link unlink write };
+allow httpd_t etc_t:sock_file { create getattr setattr unlink write };