Set the selinux permissions for DPDK. After this patch, the openvswitch context label has access to the following resources: * hugepage filesystems * vfio devices * additional unix socket permissions * additional filesystem permissions
Additionally, the openvswitch policy is now stored as template file to be built up based on options passed to configure. Signed-off-by: Aaron Conole <[email protected]> --- selinux/automake.mk | 1 + selinux/openvswitch-custom.te | 16 ---------------- selinux/openvswitch-custom.te.in | 40 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 41 insertions(+), 16 deletions(-) delete mode 100644 selinux/openvswitch-custom.te create mode 100644 selinux/openvswitch-custom.te.in diff --git a/selinux/automake.mk b/selinux/automake.mk index 1088f36..6fc30b3 100644 --- a/selinux/automake.mk +++ b/selinux/automake.mk @@ -6,4 +6,5 @@ # without warranty of any kind. EXTRA_DIST += \ + selinux/openvswitch-custom.te.in \ selinux/openvswitch-custom.te diff --git a/selinux/openvswitch-custom.te b/selinux/openvswitch-custom.te deleted file mode 100644 index 47ddb56..0000000 --- a/selinux/openvswitch-custom.te +++ /dev/null @@ -1,16 +0,0 @@ -module openvswitch-custom 1.0.1; - -require { - type openvswitch_t; - type openvswitch_tmp_t; - type ifconfig_exec_t; - type hostname_exec_t; - class netlink_socket { setopt getopt create connect getattr write read }; - class file { write getattr read open execute execute_no_trans }; -} - -#============= openvswitch_t ============== -allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read }; -allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans }; -allow openvswitch_t ifconfig_exec_t:file { read getattr open execute execute_no_trans }; -allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans }; diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in new file mode 100644 index 0000000..3a0afc6 --- /dev/null +++ b/selinux/openvswitch-custom.te.in @@ -0,0 +1,40 @@ +module openvswitch-custom 1.0.1; + +require { + type openvswitch_t; + type openvswitch_tmp_t; + type ifconfig_exec_t; + type hostname_exec_t; + class netlink_socket { setopt getopt create connect getattr write read }; + class file { write getattr read open execute execute_no_trans }; +} + +define(`dpdk_perms', ` + gen_require(` + type vfio_device_t; + type kernel_t; + type hugetlbfs_t; + class file { write getattr read open execute execute_no_trans + create unlink }; + class chr_file { write getattr read open ioctl }; + class unix_stream_socket { write getattr read connectto connect + setopt getopt sendto accept bind recvfrom acceptfrom }; + class dir { write remove_name add_name lock read }; + ') + + allow $1_t vfio_device_t:chr_file { read write open ioctl getattr }; + allow $1_t hugetlbfs_t:dir { write remove_name add_name lock read }; + allow $1_t hugetlbfs_t:file { create unlink }; + allow $1_t kernel_t:unix_stream_socket { write getattr read connectto + connect setopt getopt sendto accept bind recvfrom acceptfrom }; +') + +#============= openvswitch_t ============== +allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read }; +allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans }; +allow openvswitch_t ifconfig_exec_t:file { read getattr open execute execute_no_trans }; +allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans }; + +@begin_dpdk@ +dpdk_perms(openvswitch) +@end_dpdk@ -- 2.9.3 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
