Rework QM bluechi-agent communication type in setup script #858
Description
There is constant audit messages related to bluechi-agent either when the bluechi-agent in qm is down
This happens on c9s vm
[root@ibm-p8-kvm-03-guest-02 ~]# podman exec -it qm bash -c "rpm -qa | grep bluechi-agent"
bluechi-agent-1.1.0-0.202505290613.git671aec6.el9.x86_64
[root@ibm-p8-kvm-03-guest-02 ~]# rpm -q qm
qm-0.7.6-1.20250630205442771940.pr857.6.g0df737f.el9.noarch
Jul 1 11:03:23 ibm-p8-kvm-03-guest-02 setroubleshoot[13510]: SELinux is preventing /usr/libexec/bluechi-agent from name_connect access on the tcp_socket port 842. For complete SELinux messages run: sealert -l b8cb8175-0b92-4627-88ba-6e0fd81c7224
Jul 1 11:03:23 ibm-p8-kvm-03-guest-02 setroubleshoot[13510]: SELinux is preventing /usr/libexec/bluechi-agent from name_connect access on the tcp_socket port 842.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that bluechi-agent should be allowed name_connect access on the port 842 tcp_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'bluechi-agent' --raw | audit2allow -M my-bluechiagent#012# semodule -X 300 -i my-bluechiagent.pp#012
module my-bluechiagent 1.0;
require {
type hi_reserved_port_t;
type qm_bluechi_agent_t;
class tcp_socket name_connect;
}
#============= qm_bluechi_agent_t ==============
allow qm_bluechi_agent_t hi_reserved_port_t:tcp_socket name_connect;