On Wed, 18 Jul 2018 at 07:53, Aaron Conole <[email protected]> wrote: > > Newer selinux base policies now split out 'map' actions, as well as > adding more explicit checks for hugetlbfs objects. Where previously these > weren't required, recent changes have flagged the allocation of hugepages > and subsequent clearing. This means that the hugepage storage information > for the DPDK .rte_config, and clearing actions copying from /dev/zero will > trigger selinux denials. > > This commit allows openvswitch to have more permissions for the hugetlbfs > allocation and use. > > Signed-off-by: Aaron Conole <[email protected]> Thanks for the patch and sorry for the late reply:
Acked-by: Ansis Atteka <[email protected]> Pushed to master. Do you want this to be in other branches? > --- > NOTE: I seem to have lost the system with the logs that were used to > generate this policy. If needed, I can ask to get access again and > recreate the scenarios. > > selinux/openvswitch-custom.te.in | 9 ++++++--- > 1 file changed, 6 insertions(+), 3 deletions(-) > > diff --git a/selinux/openvswitch-custom.te.in > b/selinux/openvswitch-custom.te.in > index 4678f2f57..21de1136d 100644 > --- a/selinux/openvswitch-custom.te.in > +++ b/selinux/openvswitch-custom.te.in > @@ -37,13 +37,14 @@ require { > type svirt_image_t; > type svirt_tmpfs_t; > type vfio_device_t; > + type zero_device_t; > @end_dpdk@ > > class capability { dac_override audit_write net_broadcast net_raw }; > - class chr_file { write getattr read open ioctl }; > + class chr_file { write getattr read open ioctl map }; > class dir { write remove_name add_name lock read getattr search open > }; > class fd { use }; > - class file { write getattr read open execute execute_no_trans create > unlink map entrypoint lock ioctl }; > + class file { map write getattr read open execute execute_no_trans > create unlink map entrypoint lock ioctl }; > class fifo_file { getattr read write append ioctl lock open }; > class filesystem getattr; > class lnk_file { read open }; > @@ -83,7 +84,8 @@ allow openvswitch_t openvswitch_rw_t:dir { write > remove_name add_name lock read > allow openvswitch_t openvswitch_rw_t:file { write getattr read open execute > execute_no_trans create unlink }; > allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans }; > allow openvswitch_t openvswitch_tmp_t:unix_stream_socket { write getattr > read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom }; > -allow openvswitch_t openvswitch_var_run_t:dir { getattr read open search }; > +allow openvswitch_t openvswitch_var_run_t:dir { getattr read open search > write remove_name add_name lock }; > +allow openvswitch_t openvswitch_var_run_t:file { map open read write getattr > create unlink }; > allow openvswitch_t tun_tap_device_t:chr_file { read write getattr open > ioctl }; > > @begin_dpdk@ > @@ -96,6 +98,7 @@ allow openvswitch_t svirt_tmpfs_t:file { read write }; > allow openvswitch_t svirt_tmpfs_t:sock_file { read write append getattr open > }; > allow openvswitch_t svirt_t:unix_stream_socket { connectto read write > getattr sendto recvfrom setopt }; > allow openvswitch_t vfio_device_t:chr_file { read write open ioctl getattr }; > +allow openvswitch_t zero_device_t:chr_file { read open getattr map }; > @end_dpdk@ > > #============= Transition allows ============= > -- > 2.14.3 > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
