Ansis Atteka <[email protected]> writes: > On Wed, 17 Apr 2019 at 13:07, Aaron Conole <[email protected]> wrote: >> >> These are used for interfacing with conntrack, as well as by some >> DPDK PMDs > > Did you get these with audit2allow? If so, then looks good to me.
Yes. Sorry, I should have put the AVCs and the resulting permissions stuff in the commit message. I'll do that next time. >> Signed-off-by: Aaron Conole <[email protected]> >> --- >> selinux/openvswitch-custom.te.in | 8 ++++++++ >> 1 file changed, 8 insertions(+) >> >> diff --git a/selinux/openvswitch-custom.te.in >> b/selinux/openvswitch-custom.te.in >> index 26495828a..2adaf231f 100644 >> --- a/selinux/openvswitch-custom.te.in >> +++ b/selinux/openvswitch-custom.te.in >> @@ -49,6 +49,10 @@ require { >> class filesystem getattr; >> class lnk_file { read open }; >> class netlink_audit_socket { create nlmsg_relay audit_write read >> write }; >> + class netlink_netfilter_socket { create nlmsg_relay audit_write >> read write }; >> +@begin_dpdk@ >> + class netlink_rdma_socket { setopt bind create }; >> +@end_dpdk@ >> class netlink_socket { setopt getopt create connect getattr write >> read }; >> class sock_file { write }; >> class system { module_load module_request }; >> @@ -75,6 +79,10 @@ domtrans_pattern(openvswitch_t, >> openvswitch_load_module_exec_t, openvswitch_load >> #============= openvswitch_t ============== >> allow openvswitch_t self:capability { dac_override audit_write >> net_broadcast net_raw }; >> allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay >> audit_write read write }; >> +allow openvswitch_t self:netlink_netfilter_socket { create nlmsg_relay >> audit_write read write }; >> +@begin_dpdk@ >> +allow openvswitch_t self:netlink_rdma_socket { setopt bind create }; >> +@end_dpdk@ >> allow openvswitch_t self:netlink_socket { setopt getopt create connect >> getattr write read }; >> >> allow openvswitch_t hostname_exec_t:file { read getattr open execute >> execute_no_trans }; >> -- >> 2.19.1 >> _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
