Re: [ovs-dev] [PATCH 1/1] selinux: Add missing permissions for netlink_rdma_socket.

Mon, 07 Oct 2024 00:33:49 -0700 


On 07/10/2024 9:53, Eelco Chaudron wrote:
> 
> 
> On 6 Oct 2024, at 13:49, Roi Dayan via dev wrote:
> 
>> On 06/10/2024 13:45, Roi Dayan wrote:
>>> After testing with DPDK found netlink_rdma_socket missing
>>> permissions 'getattr' and 'getopt' in the audit logs.
>>>
>>> Signed-off-by: Roi Dayan <[email protected]>
>>> ---
>>>  selinux/openvswitch-custom.te.in | 4 ++--
>>>  1 file changed, 2 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/selinux/openvswitch-custom.te.in 
>>> b/selinux/openvswitch-custom.te.in
>>> index fe2c5bb61a57..776b3946d6ab 100644
>>> --- a/selinux/openvswitch-custom.te.in
>>> +++ b/selinux/openvswitch-custom.te.in
>>> @@ -52,7 +52,7 @@ require {
>>>          class netlink_audit_socket { create nlmsg_relay read write };
>>>          class netlink_netfilter_socket { create read write };
>>>  @begin_dpdk@
>>> -        class netlink_rdma_socket { setopt bind create };
>>> +        class netlink_rdma_socket { setopt getattr getopt bind create };
>>>  @end_dpdk@
>>>          class netlink_socket { setopt getopt create connect getattr write 
>>> read };
>>>          class sock_file { write };
>>> @@ -82,7 +82,7 @@ allow openvswitch_t self:capability { dac_override 
>>> audit_write net_broadcast net
>>>  allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay read 
>>> write };
>>>  allow openvswitch_t self:netlink_netfilter_socket { create read write };
>>>  @begin_dpdk@
>>> -allow openvswitch_t self:netlink_rdma_socket { setopt bind create };
>>> +allow openvswitch_t self:netlink_rdma_socket { setopt getattr getopt bind 
>>> create };
>>>  @end_dpdk@
>>>  allow openvswitch_t self:netlink_socket { setopt getopt create connect 
>>> getattr write read };
>>>
>>
>>
>> the robot failed but doesn't seem related to the patch.
>> it failed on check-offloads test check_pkt_len
>>
>> @@ -1,3 +1,3 @@
>>  in_port(2),eth(),eth_type(0x0800),ipv4(frag=no), packets:19, bytes:11614, 
>> used:0.001s, actions:check_pkt_len(size=200,gt(3),le(3))
>> -in_port(3),eth(),eth_type(0x0800),ipv4(frag=no), packets:19, bytes:11614, 
>> used:0.001s, actions:output
>> +in_port(3),eth(),eth_type(0x0800),ipv4(frag=no), packets:18, bytes:11256, 
>> used:0.001s, actions:output
> 
> You can ask the robot to re-run the test by sending a message that includes:
> 
> Recheck-request: github-robot
> 
> (this should do it ;)
> 
> //Eelco
> 

great. thanks. it passed now :)

_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev






















					Reply via email to