The ovs-vswitchd daemon requires both CAP_NET_RAW and
CAP_NET_BROADCAST, but these are generally policy prevented by
selinux. This allows these capabilities to be retained by the
openvswitch_t domain.
example:
type=AVC msg=audit(1527876508.109:3043): avc: denied {
net_broadcast } for pid=5368 comm="ovs-vswitchd" capability=11
scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1527876508.109:3043): avc: denied {
net_raw } for pid=5368 comm="ovs-vswitchd" capability=11
scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=0
Signed-off-by: Aaron Conole <[email protected]>
---
selinux/openvswitch-custom.te.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in
index 556e9d6a3..5bd2e1274 100644
--- a/selinux/openvswitch-custom.te.in
+++ b/selinux/openvswitch-custom.te.in
@@ -37,7 +37,7 @@ require {
type vfio_device_t;
@end_dpdk@
- class capability { dac_override audit_write };
+ class capability { dac_override audit_write net_broadcast net_raw };
class chr_file { write getattr read open ioctl };
class dir { write remove_name add_name lock read getattr search open };
class fd { use };
@@ -70,7 +70,7 @@ domain_entry_file(openvswitch_load_module_t,
openvswitch_load_module_exec_t);
domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t,
openvswitch_load_module_t);
#============= openvswitch_t ==============
-allow openvswitch_t self:capability { dac_override audit_write };
+allow openvswitch_t self:capability { dac_override audit_write net_broadcast
net_raw };
allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write
read write };
allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr
write read };
--
2.14.3
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
