On Thu, 18 Apr 2019 at 14:00, Aaron Conole <[email protected]> wrote: > > Ansis Atteka <[email protected]> writes: > > > On Wed, 17 Apr 2019 at 13:07, Aaron Conole <[email protected]> wrote: > >> > >> These are used for interfacing with conntrack, as well as by some > >> DPDK PMDs > > > > Did you get these with audit2allow? If so, then looks good to me. > > Yes. Sorry, I should have put the AVCs and the resulting permissions > stuff in the commit message. I'll do that next time.
Acked-by: Ansis Atteka <[email protected]> Pushed it to master branch. > > >> Signed-off-by: Aaron Conole <[email protected]> > >> --- > >> selinux/openvswitch-custom.te.in | 8 ++++++++ > >> 1 file changed, 8 insertions(+) > >> > >> diff --git a/selinux/openvswitch-custom.te.in > >> b/selinux/openvswitch-custom.te.in > >> index 26495828a..2adaf231f 100644 > >> --- a/selinux/openvswitch-custom.te.in > >> +++ b/selinux/openvswitch-custom.te.in > >> @@ -49,6 +49,10 @@ require { > >> class filesystem getattr; > >> class lnk_file { read open }; > >> class netlink_audit_socket { create nlmsg_relay audit_write read > >> write }; > >> + class netlink_netfilter_socket { create nlmsg_relay audit_write > >> read write }; > >> +@begin_dpdk@ > >> + class netlink_rdma_socket { setopt bind create }; > >> +@end_dpdk@ > >> class netlink_socket { setopt getopt create connect getattr write > >> read }; > >> class sock_file { write }; > >> class system { module_load module_request }; > >> @@ -75,6 +79,10 @@ domtrans_pattern(openvswitch_t, > >> openvswitch_load_module_exec_t, openvswitch_load > >> #============= openvswitch_t ============== > >> allow openvswitch_t self:capability { dac_override audit_write > >> net_broadcast net_raw }; > >> allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay > >> audit_write read write }; > >> +allow openvswitch_t self:netlink_netfilter_socket { create nlmsg_relay > >> audit_write read write }; > >> +@begin_dpdk@ > >> +allow openvswitch_t self:netlink_rdma_socket { setopt bind create }; > >> +@end_dpdk@ > >> allow openvswitch_t self:netlink_socket { setopt getopt create connect > >> getattr write read }; > >> > >> allow openvswitch_t hostname_exec_t:file { read getattr open execute > >> execute_no_trans }; > >> -- > >> 2.19.1 > >> _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
