[ovs-dev] [PATCH v3 3/6] selinux: allow openvswitch_t net_broadcast and net_raw

Ansis Atteka ansisatteka at gmail.com
Mon Jun 18 02:38:46 UTC 2018


On Fri, 1 Jun 2018 at 11:28, Aaron Conole <aconole at redhat.com> wrote:
>
> The ovs-vswitchd daemon requires both CAP_NET_RAW and
> CAP_NET_BROADCAST, but these are generally policy prevented by
> selinux.  This allows these capabilities to be retained by the
> openvswitch_t domain.
>
> example:
>
>   type=AVC msg=audit(1527876508.109:3043): avc:  denied  {
>   net_broadcast } for pid=5368 comm="ovs-vswitchd" capability=11
>   scontext=system_u:system_r:openvswitch_t:s0
>   tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=0
>
>   type=AVC msg=audit(1527876508.109:3043): avc:  denied  {
>   net_raw } for pid=5368 comm="ovs-vswitchd" capability=11
>   scontext=system_u:system_r:openvswitch_t:s0
>   tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=0
>
> Signed-off-by: Aaron Conole <aconole at redhat.com>
Acked-by: Ansis Atteka <aatteka at ovn.org>
> ---
>  selinux/openvswitch-custom.te.in | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in
> index 556e9d6a3..5bd2e1274 100644
> --- a/selinux/openvswitch-custom.te.in
> +++ b/selinux/openvswitch-custom.te.in
> @@ -37,7 +37,7 @@ require {
>          type vfio_device_t;
>  @end_dpdk@
>
> -        class capability { dac_override audit_write };
> +        class capability { dac_override audit_write net_broadcast net_raw };
>          class chr_file { write getattr read open ioctl };
>          class dir { write remove_name add_name lock read getattr search open };
>          class fd { use };
> @@ -70,7 +70,7 @@ domain_entry_file(openvswitch_load_module_t, openvswitch_load_module_exec_t);
>  domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load_module_t);
>
>  #============= openvswitch_t ==============
> -allow openvswitch_t self:capability { dac_override audit_write };
> +allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw };
>  allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write };
>  allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read };
>
> --
> 2.14.3
>


More information about the dev mailing list