Updates SELinux to allow ovs-vsctl to get parent process
information and log that to the database:
record 241: 2016-07-26 00:59:47.418 "ovs-vsctl (invoked by /bin/bash
(pid 1589)): ovs-vsctl -t 10 -- --if-exist ...
Jul 25 12:57:35 localhost.localdomain audit[830]: AVC avc: denied {
search } for pid=830 comm="ovs-vsctl" name="731" dev="proc" ino=14140
scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=dir permissive=0
Signed-off-by: Flavio Leitner <[email protected]>
---
selinux/openvswitch-custom.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/selinux/openvswitch-custom.te b/selinux/openvswitch-custom.te
index fc32b97..5739595 100644
--- a/selinux/openvswitch-custom.te
+++ b/selinux/openvswitch-custom.te
@@ -2,8 +2,13 @@ module openvswitch-custom 1.0;
require {
type openvswitch_t;
+ attribute domain;
class netlink_socket { setopt getopt create connect getattr write read
};
+ class dir { search };
+ class file { open getattr read };
}
#============= openvswitch_t ==============
allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr
write read };
+allow openvswitch_t domain:dir { search };
+allow openvswitch_t domain:file { open getattr read };
--
2.7.4
_______________________________________________
dev mailing list
[email protected]
http://openvswitch.org/mailman/listinfo/dev
