Hi Maxime, Thanks for the policy update!
Maxime Coquelin via dev <[email protected]> writes: > Add SELinux policy rules to allow openvswitch to search container > directories and connect to container unix stream sockets. This > enables DPDK to work with vhost-user sockets created by container > runtimes. > > Signed-off-by: Maxime Coquelin <[email protected]> > --- > selinux/openvswitch-custom.te.in | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/selinux/openvswitch-custom.te.in > b/selinux/openvswitch-custom.te.in > index 776b3946d..3e4927d8e 100644 > --- a/selinux/openvswitch-custom.te.in > +++ b/selinux/openvswitch-custom.te.in > @@ -39,6 +39,8 @@ require { > type svirt_tmpfs_t; > type vfio_device_t; > type zero_device_t; > + type container_file_t; > + type container_t; > @end_dpdk@ > > class capability { dac_override audit_write net_broadcast net_raw }; > @@ -108,6 +110,9 @@ allow openvswitch_t svirt_tmpfs_t:sock_file { read write > append getattr open }; > allow openvswitch_t svirt_t:unix_stream_socket { connectto read write > getattr sendto recvfrom setopt }; > allow openvswitch_t vfio_device_t:chr_file { read write open ioctl getattr }; > allow openvswitch_t zero_device_t:chr_file { read open getattr map }; > +allow openvswitch_t container_file_t:dir { search }; > +allow openvswitch_t container_file_t:sock_file { read write append getattr > open }; > +allow openvswitch_t container_t:unix_stream_socket { connectto read write > getattr sendto recvfrom setopt }; I think we can just use (didn't fully test it) manage_files_pattern(openvswitch_t, container_file_t); manage_sock_files_pattern(openvswitch_t, container_file_t, container_file_t); stream_connect_pattern(openvswitch_t, container_t, container_t); If that works for you, it might be better since the selinux object permissions can become more granular over time, and the selinux refpolicy people usually keep the permissions patterns updated. WDYT? > @end_dpdk@ > > #============= Transition allows ============= _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
