On Wed, 17 Apr 2019 at 13:07, Aaron Conole <[email protected]> wrote: > > These are used for interfacing with conntrack, as well as by some > DPDK PMDs
Did you get these with audit2allow? If so, then looks good to me. > > Signed-off-by: Aaron Conole <[email protected]> > --- > selinux/openvswitch-custom.te.in | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/selinux/openvswitch-custom.te.in > b/selinux/openvswitch-custom.te.in > index 26495828a..2adaf231f 100644 > --- a/selinux/openvswitch-custom.te.in > +++ b/selinux/openvswitch-custom.te.in > @@ -49,6 +49,10 @@ require { > class filesystem getattr; > class lnk_file { read open }; > class netlink_audit_socket { create nlmsg_relay audit_write read > write }; > + class netlink_netfilter_socket { create nlmsg_relay audit_write read > write }; > +@begin_dpdk@ > + class netlink_rdma_socket { setopt bind create }; > +@end_dpdk@ > class netlink_socket { setopt getopt create connect getattr write > read }; > class sock_file { write }; > class system { module_load module_request }; > @@ -75,6 +79,10 @@ domtrans_pattern(openvswitch_t, > openvswitch_load_module_exec_t, openvswitch_load > #============= openvswitch_t ============== > allow openvswitch_t self:capability { dac_override audit_write net_broadcast > net_raw }; > allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay > audit_write read write }; > +allow openvswitch_t self:netlink_netfilter_socket { create nlmsg_relay > audit_write read write }; > +@begin_dpdk@ > +allow openvswitch_t self:netlink_rdma_socket { setopt bind create }; > +@end_dpdk@ > allow openvswitch_t self:netlink_socket { setopt getopt create connect > getattr write read }; > > allow openvswitch_t hostname_exec_t:file { read getattr open execute > execute_no_trans }; > -- > 2.19.1 > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
