# this is a modification to frr-selinux that ships with EL9, adding support for frr10
class profiles::selinux::frr {

  $frr_te_content = @("EOF")
    module frr_local 1.0;

    require {
      type frr_t;
      type initrc_t;
      type kernel_t;
      type var_run_t;
      type frr_tmp_t;
      type frr_var_run_t;
      type init_t;
      class unix_stream_socket connectto;
      class system module_request;
      class sock_file { getattr write };
      class dir { add_name write };
      class file { create write open };
      class process setpgid;
    }

    #============= frr_t ==============
    allow frr_t initrc_t:unix_stream_socket connectto;
    allow frr_t kernel_t:system module_request;
    allow frr_t var_run_t:sock_file { getattr write };

    #============= init_t ==============
    allow init_t frr_tmp_t:dir add_name;
    allow init_t frr_var_run_t:dir { write add_name };
    allow init_t frr_var_run_t:file { create open write };
    allow init_t self:process setpgid;
  | EOF

  if $facts['virtual'] != 'lxc' {
    selinux::module { 'frr_local':
      ensure     => 'present',
      content_te => $frr_te_content,
      builder    => 'simple',
      before     => Service['frr'],
    }
    selboolean { 'domain_can_mmap_files':
      value      => 'on',
      persistent => true,
      before     => Service['frr'],
    }
  }
}