FIDO Device Onboard DB support is missing some SELinux Policies

The new 0.5.0 version of fdo-device-onboard-rs comes with preliminary database support as Tech Preview. However, some of the downstream releases don’t work properly as they are missing some needed SELinux policies:

module fdo-db 1.0;

require {
	type postgresql_port_t;
	type fdo_conf_t;
	type fdo_t;
	type etc_t;
	type krb5_keytab_t;
	type sssd_var_run_t;
	type fdo_var_lib_t;
	type sssd_t;
	class tcp_socket name_connect;
	class dir { add_name remove_name search write };
	class sock_file write;
	class unix_stream_socket connectto;
	class file { append create rename setattr unlink write };
}

#============= fdo_t ==============

allow fdo_t etc_t:file write;

allow fdo_t fdo_conf_t:file { append create rename setattr unlink write };

allow fdo_t fdo_var_lib_t:dir { add_name remove_name write };

allow fdo_t fdo_var_lib_t:file { create setattr unlink write };

allow fdo_t krb5_keytab_t:dir search;

allow fdo_t postgresql_port_t:tcp_socket name_connect;

allow fdo_t sssd_t:unix_stream_socket connectto;

allow fdo_t sssd_var_run_t:sock_file write;

To install them just save the content above as fdo-db.te and run the following commands:

[root@localhost:~]# dnf install -y policycoreutils
[root@localhost:~]# checkmodule -M -m -o fdo-db.mod fdo-db.te
[root@localhost:~]# semodule_package -o fdo-db.pp -m fdo-db.mod
[root@localhost:~]# semodule -i fdo-db.pp