[ovs-dev] [PATCH] selinux: Add missing permissions for ovs-kmod-ctl

Ilya Maximets i.maximets at ovn.org
Wed Sep 16 14:04:49 UTC 2020


On 9/3/20 8:21 PM, Ansis wrote:
> Acked-by: Ansis Atteka <aatteka at ovn.org>
> 
> On Thu, Sep 3, 2020, 10:03 AM Yi-Hung Wei <yihung.wei at gmail.com> wrote:
> 
>> On RHEL 8,  a SELinux policy is missing when ovs-kmod-ctl use modprobe
>> to load kernel modules.  This patch adds the missing permissions based
>> on /var/log/audit/audit.log
>>
>> Example log of the AVC violations:
>>   type=AVC msg=audit(1599075387.136:65): avc:  denied  { read } for
>>   pid=1472 comm="modprobe" name="modules.alias.bin" dev="dm-0" ino=586629
>>   scontext=system_u:system_r:openvswitch_load_module_t:s0
>>   tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0
>>
>>   type=AVC msg=audit(1599085253.148:45): avc:  denied  { open } for
>> pid=1355
>>   comm="modprobe"
>> path="/usr/lib/modules/4.18.0-193.el8.x86_64/modules.dep.bin"
>>   dev="dm-0" ino=624258
>> scontext=system_u:system_r:openvswitch_load_module_t:s0
>>   tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0
>>
>> VMWare-BZ: #2633569
>> Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
>> ---

Thanks!

Applied to master and backported down to 2.13.

Best regards, Ilya Maximets.


More information about the dev mailing list