From 2a744d38c2a9fa41791130b420b0702be245d7af Mon Sep 17 00:00:00 2001
From: Evgeni Golov <evgeni@golov.de>
Date: Fri, 2 Feb 2024 17:42:23 +0100
Subject: [PATCH] make cockpit definition optional

---
 foreman.fc |  2 +-
 foreman.te | 39 +++++++++++++++++++++++++--------------
 2 files changed, 26 insertions(+), 15 deletions(-)

diff --git a/foreman.fc b/foreman.fc
index c08e7b5..6e56586 100644
--- a/foreman.fc
+++ b/foreman.fc
@@ -40,7 +40,7 @@
 
 # Foreman Remote Execution
 
-/usr/sbin/foreman-cockpit-session       gen_context(system_u:object_r:cockpit_session_exec_t,s0)
+/usr/sbin/foreman-cockpit-session       gen_context(system_u:object_r:foreman_cockpit_session_exec_t,s0)
 
 # Foreman Hooks plugin
 
diff --git a/foreman.te b/foreman.te
index 409b37c..923818a 100644
--- a/foreman.te
+++ b/foreman.te
@@ -128,9 +128,6 @@ require{
     type bin_t;
     type httpd_t;
     type websm_port_t;
-    type cockpit_ws_t;
-    type cockpit_session_t;
-    type cockpit_session_exec_t;
     type unconfined_service_t;
     type http_cache_port_t;
     type squid_port_t;
@@ -333,21 +330,35 @@ manage_dirs_pattern(foreman_rails_t, system_cronjob_tmp_t, system_cronjob_tmp_t)
 # Remote Execution
 #
 
-# Run /usr/bin/env and /usr/bin/ruby
-corecmd_exec_bin(cockpit_ws_t)
-kernel_read_system_state(cockpit_ws_t)
+# this needs to exist even if cockpit policy doesn't
+type foreman_cockpit_session_exec_t;
 
-# Connect to Foreman HTTP(s) port
-corenet_tcp_connect_http_port(cockpit_session_t)
-corenet_tcp_connect_http_port(cockpit_ws_t)
+optional_policy(`
+    gen_require(`
+        type cockpit_ws_t;
+        type cockpit_session_t;
+        type cockpit_session_exec_t;
+    ')
+    # foreman-cockpit-session needs to be labeled foreman_cockpit_session_exec_t,
+    # but we need to end up in cockpit_session_t
+    domtrans_pattern(cockpit_ws_t, foreman_cockpit_session_exec_t, cockpit_session_t)
+    domain_entry_file(cockpit_session_t, foreman_cockpit_session_exec_t)
 
-# Connect to remote Cockpit instance HTTPS port
-corenet_tcp_connect_websm_port(cockpit_session_t)
-corenet_tcp_connect_websm_port(cockpit_ws_t)
+    # Run /usr/bin/env and /usr/bin/ruby
+    corecmd_exec_bin(cockpit_ws_t)
+    kernel_read_system_state(cockpit_ws_t)
 
-# Connect to Foreman Cockpit instance HTTPS port
-corenet_tcp_connect_websm_port(httpd_t)
+    # Connect to Foreman HTTP(s) port
+    corenet_tcp_connect_http_port(cockpit_session_t)
+    corenet_tcp_connect_http_port(cockpit_ws_t)
 
+    # Connect to remote Cockpit instance HTTPS port
+    corenet_tcp_connect_websm_port(cockpit_session_t)
+    corenet_tcp_connect_websm_port(cockpit_ws_t)
+
+    # Connect to Foreman Cockpit instance HTTPS port
+    corenet_tcp_connect_websm_port(httpd_t)
+')
 
 #######################################
 #