Re: [ovs-dev] [PATCH 1/1] selinux: Add missing permissions for netlink_rdma_socket.

Sun, 06 Oct 2024 04:50:03 -0700 


On 06/10/2024 13:45, Roi Dayan wrote:
> After testing with DPDK found netlink_rdma_socket missing
> permissions 'getattr' and 'getopt' in the audit logs.
> 
> Signed-off-by: Roi Dayan <[email protected]>
> ---
>  selinux/openvswitch-custom.te.in | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/selinux/openvswitch-custom.te.in 
> b/selinux/openvswitch-custom.te.in
> index fe2c5bb61a57..776b3946d6ab 100644
> --- a/selinux/openvswitch-custom.te.in
> +++ b/selinux/openvswitch-custom.te.in
> @@ -52,7 +52,7 @@ require {
>          class netlink_audit_socket { create nlmsg_relay read write };
>          class netlink_netfilter_socket { create read write };
>  @begin_dpdk@
> -        class netlink_rdma_socket { setopt bind create };
> +        class netlink_rdma_socket { setopt getattr getopt bind create };
>  @end_dpdk@
>          class netlink_socket { setopt getopt create connect getattr write 
> read };
>          class sock_file { write };
> @@ -82,7 +82,7 @@ allow openvswitch_t self:capability { dac_override 
> audit_write net_broadcast net
>  allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay read 
> write };
>  allow openvswitch_t self:netlink_netfilter_socket { create read write };
>  @begin_dpdk@
> -allow openvswitch_t self:netlink_rdma_socket { setopt bind create };
> +allow openvswitch_t self:netlink_rdma_socket { setopt getattr getopt bind 
> create };
>  @end_dpdk@
>  allow openvswitch_t self:netlink_socket { setopt getopt create connect 
> getattr write read };
>  


the robot failed but doesn't seem related to the patch.
it failed on check-offloads test check_pkt_len

@@ -1,3 +1,3 @@
 in_port(2),eth(),eth_type(0x0800),ipv4(frag=no), packets:19, bytes:11614, 
used:0.001s, actions:check_pkt_len(size=200,gt(3),le(3))
-in_port(3),eth(),eth_type(0x0800),ipv4(frag=no), packets:19, bytes:11614, 
used:0.001s, actions:output
+in_port(3),eth(),eth_type(0x0800),ipv4(frag=no), packets:18, bytes:11256, 
used:0.001s, actions:output

_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev






















					Reply via email to