[ovs-dev] [PATCH] selinux: update for netlink socket types

Aaron Conole aconole at redhat.com
Mon Apr 29 12:24:58 UTC 2019


Ansis Atteka <ansisatteka at gmail.com> writes:

> On Thu, 18 Apr 2019 at 14:00, Aaron Conole <aconole at redhat.com> wrote:
>>
>> Ansis Atteka <ansisatteka at gmail.com> writes:
>>
>> > On Wed, 17 Apr 2019 at 13:07, Aaron Conole <aconole at redhat.com> wrote:
>> >>
>> >> These are used for interfacing with conntrack, as well as by some
>> >> DPDK PMDs
>> >
>> > Did you get these with audit2allow? If so, then looks good to me.
>>
>> Yes.  Sorry, I should have put the AVCs and the resulting permissions
>> stuff in the commit message.  I'll do that next time.
>
>
>
> Acked-by: Ansis Atteka <aatteka at ovn.org>
>
> Pushed it to master branch.

Thanks, Ansis!

>>
>> >> Signed-off-by: Aaron Conole <aconole at redhat.com>
>> >> ---
>> >>  selinux/openvswitch-custom.te.in | 8 ++++++++
>> >>  1 file changed, 8 insertions(+)
>> >>
>> >> diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in
>> >> index 26495828a..2adaf231f 100644
>> >> --- a/selinux/openvswitch-custom.te.in
>> >> +++ b/selinux/openvswitch-custom.te.in
>> >> @@ -49,6 +49,10 @@ require {
>> >>          class filesystem getattr;
>> >>          class lnk_file { read open };
>> >>          class netlink_audit_socket { create nlmsg_relay audit_write read write };
>> >> +        class netlink_netfilter_socket { create nlmsg_relay audit_write read write };
>> >> + at begin_dpdk@
>> >> +        class netlink_rdma_socket { setopt bind create };
>> >> + at end_dpdk@
>> >>          class netlink_socket { setopt getopt create connect getattr write read };
>> >>          class sock_file { write };
>> >>          class system { module_load module_request };
>> >> @@ -75,6 +79,10 @@ domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load
>> >>  #============= openvswitch_t ==============
>> >>  allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw };
>> >>  allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write };
>> >> +allow openvswitch_t self:netlink_netfilter_socket { create nlmsg_relay audit_write read write };
>> >> + at begin_dpdk@
>> >> +allow openvswitch_t self:netlink_rdma_socket { setopt bind create };
>> >> + at end_dpdk@
>> >>  allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read };
>> >>
>> >>  allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans };
>> >> --
>> >> 2.19.1
>> >>


More information about the dev mailing list