Re: [ovs-dev] [PATCH 1/1] selinux: Add missing permissions for netlink_rdma_socket.

Sun, 06 Oct 2024 23:54:13 -0700 


On 6 Oct 2024, at 13:49, Roi Dayan via dev wrote:

> On 06/10/2024 13:45, Roi Dayan wrote:
>> After testing with DPDK found netlink_rdma_socket missing
>> permissions 'getattr' and 'getopt' in the audit logs.
>>
>> Signed-off-by: Roi Dayan <[email protected]>
>> ---
>>  selinux/openvswitch-custom.te.in | 4 ++--
>>  1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/selinux/openvswitch-custom.te.in 
>> b/selinux/openvswitch-custom.te.in
>> index fe2c5bb61a57..776b3946d6ab 100644
>> --- a/selinux/openvswitch-custom.te.in
>> +++ b/selinux/openvswitch-custom.te.in
>> @@ -52,7 +52,7 @@ require {
>>          class netlink_audit_socket { create nlmsg_relay read write };
>>          class netlink_netfilter_socket { create read write };
>>  @begin_dpdk@
>> -        class netlink_rdma_socket { setopt bind create };
>> +        class netlink_rdma_socket { setopt getattr getopt bind create };
>>  @end_dpdk@
>>          class netlink_socket { setopt getopt create connect getattr write 
>> read };
>>          class sock_file { write };
>> @@ -82,7 +82,7 @@ allow openvswitch_t self:capability { dac_override 
>> audit_write net_broadcast net
>>  allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay read 
>> write };
>>  allow openvswitch_t self:netlink_netfilter_socket { create read write };
>>  @begin_dpdk@
>> -allow openvswitch_t self:netlink_rdma_socket { setopt bind create };
>> +allow openvswitch_t self:netlink_rdma_socket { setopt getattr getopt bind 
>> create };
>>  @end_dpdk@
>>  allow openvswitch_t self:netlink_socket { setopt getopt create connect 
>> getattr write read };
>>
>
>
> the robot failed but doesn't seem related to the patch.
> it failed on check-offloads test check_pkt_len
>
> @@ -1,3 +1,3 @@
>  in_port(2),eth(),eth_type(0x0800),ipv4(frag=no), packets:19, bytes:11614, 
> used:0.001s, actions:check_pkt_len(size=200,gt(3),le(3))
> -in_port(3),eth(),eth_type(0x0800),ipv4(frag=no), packets:19, bytes:11614, 
> used:0.001s, actions:output
> +in_port(3),eth(),eth_type(0x0800),ipv4(frag=no), packets:18, bytes:11256, 
> used:0.001s, actions:output

You can ask the robot to re-run the test by sending a message that includes:

Recheck-request: github-robot

(this should do it ;)

//Eelco

_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev






















					Reply via email to