Introduce RHEL 9 specific SELinux policy

The type `systemd_userdbd_runtime_t` is only available on RHEL 9
and so RHEL 8 policy cannot contain it.

Ticket: ENT-9727
Changelog: None

misc/selinux/Makefile.am

@@ -17,5 +17,6 @@ endif
 # explicit DISTFILES are required for these files to be part of a 'make dist'
 # tarball even without running './configure --with-selinux-policy'
 DISTFILES  = Makefile.in Makefile.am cfengine-enterprise.fc cfengine-enterprise.te.all
+DISTFILES += cfengine-enterprise.te.el9
 
 CLEANFILES = cfengine-enterprise.pp cfengine-enterprise.if cfengine-enterprise.te

misc/selinux/cfengine-enterprise.te.all

@@ -75,7 +75,6 @@ require {
 	type syslogd_var_run_t;
 	type system_dbusd_t;
 	type system_dbusd_var_run_t;
-	type systemd_userdbd_runtime_t;
 	type tmp_t;
 	type tmpfs_t;
 	role system_r;
@@ -643,11 +642,6 @@ allow cfengine_httpd_t tmp_t:file { create setattr unlink write rename };
 allow cfengine_httpd_t tmp_t:dir { add_name remove_name write read };
 allow cfengine_httpd_t var_t:dir read;
 
-# PAM module for dynamic users
-allow cfengine_httpd_t systemd_userdbd_runtime_t:dir { getattr open read search };
-allow cfengine_httpd_t systemd_userdbd_runtime_t:sock_file write;
-allow cfengine_httpd_t kernel_t:unix_stream_socket connectto;
-
 # apparently, httpd creates some temporary bits in /tmp that it needs to mmap()
 allow cfengine_httpd_t tmp_t:file map;
 

misc/selinux/cfengine-enterprise.te.el9

@@ -0,0 +1,8 @@
+require {
+	type systemd_userdbd_runtime_t;
+}
+
+# PAM module for dynamic users
+allow cfengine_httpd_t systemd_userdbd_runtime_t:dir { getattr open read search };
+allow cfengine_httpd_t systemd_userdbd_runtime_t:sock_file write;
+allow cfengine_httpd_t kernel_t:unix_stream_socket connectto;