[ovs-dev] [PATCH] selinux: changes to support newer hugetlbfs restrictions

Mon Jul 30 00:35:17 UTC 2018

On Wed, 18 Jul 2018 at 07:53, Aaron Conole <aconole at redhat.com> wrote:
>
> Newer selinux base policies now split out 'map' actions, as well as
> adding more explicit checks for hugetlbfs objects.  Where previously these
> weren't required, recent changes have flagged the allocation of hugepages
> and subsequent clearing.  This means that the hugepage storage information
> for the DPDK .rte_config, and clearing actions copying from /dev/zero will
> trigger selinux denials.
>
> This commit allows openvswitch to have more permissions for the hugetlbfs
> allocation and use.
>
> Signed-off-by: Aaron Conole <aconole at redhat.com>
Thanks for the patch and sorry for the late reply:

Acked-by: Ansis Atteka <aatteka at ovn.org>

Pushed to master. Do you want this to be in other branches?
> ---
> NOTE: I seem to have lost the system with the logs that were used to
>       generate this policy.  If needed, I can ask to get access again and
>       recreate the scenarios.
>
>  selinux/openvswitch-custom.te.in | 9 ++++++---
>  1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in
> index 4678f2f57..21de1136d 100644
> --- a/selinux/openvswitch-custom.te.in
> +++ b/selinux/openvswitch-custom.te.in
> @@ -37,13 +37,14 @@ require {
>          type svirt_image_t;
>          type svirt_tmpfs_t;
>          type vfio_device_t;
> +        type zero_device_t;
>  @end_dpdk@
>
>          class capability { dac_override audit_write net_broadcast net_raw };
> -        class chr_file { write getattr read open ioctl };
> +        class chr_file { write getattr read open ioctl map };
>          class dir { write remove_name add_name lock read getattr search open };
>          class fd { use };
> -        class file { write getattr read open execute execute_no_trans create unlink map entrypoint lock ioctl };
> +        class file { map write getattr read open execute execute_no_trans create unlink map entrypoint lock ioctl };
>          class fifo_file { getattr read write append ioctl lock open };
>          class filesystem getattr;
>          class lnk_file { read open };
> @@ -83,7 +84,8 @@ allow openvswitch_t openvswitch_rw_t:dir { write remove_name add_name lock read
>  allow openvswitch_t openvswitch_rw_t:file { write getattr read open execute execute_no_trans create unlink };
>  allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans };
>  allow openvswitch_t openvswitch_tmp_t:unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom };
> -allow openvswitch_t openvswitch_var_run_t:dir { getattr read open search };
> +allow openvswitch_t openvswitch_var_run_t:dir { getattr read open search write remove_name add_name lock };
> +allow openvswitch_t openvswitch_var_run_t:file { map open read write getattr create unlink };
>  allow openvswitch_t tun_tap_device_t:chr_file { read write getattr open ioctl };
>
>  @begin_dpdk@
> @@ -96,6 +98,7 @@ allow openvswitch_t svirt_tmpfs_t:file { read write };
>  allow openvswitch_t svirt_tmpfs_t:sock_file { read write append getattr open };
>  allow openvswitch_t svirt_t:unix_stream_socket { connectto read write getattr sendto recvfrom setopt };
>  allow openvswitch_t vfio_device_t:chr_file { read write open ioctl getattr };
> +allow openvswitch_t zero_device_t:chr_file { read open getattr map };
>  @end_dpdk@
>
>  #============= Transition allows =============
> --
> 2.14.3
>