diff options
author | Aaron Conole <aconole@redhat.com> | 2018-06-01 14:28:46 -0400 |
---|---|---|
committer | Ansis Atteka <aatteka@ovn.org> | 2018-06-17 19:32:19 -0700 |
commit | 135901ae4de2822a20b2450d6251f70287916bf2 (patch) | |
tree | fe8779a34abf96f1b6ff1e380ecf630117255209 /selinux/openvswitch-custom.te.in | |
parent | 6cd775f423f7a0e841d420d709d5cb69afeb2753 (diff) | |
download | openvswitch-135901ae4de2822a20b2450d6251f70287916bf2.tar.gz |
selinux: allow openvswitch_t net_broadcast and net_raw
The ovs-vswitchd daemon requires both CAP_NET_RAW and
CAP_NET_BROADCAST, but these are generally policy prevented by
selinux. This allows these capabilities to be retained by the
openvswitch_t domain.
example:
type=AVC msg=audit(1527876508.109:3043): avc: denied {
net_broadcast } for pid=5368 comm="ovs-vswitchd" capability=11
scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1527876508.109:3043): avc: denied {
net_raw } for pid=5368 comm="ovs-vswitchd" capability=11
scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=0
Acked-by: Ansis Atteka <aatteka@ovn.org>
Signed-off-by: Aaron Conole <aconole@redhat.com>
Diffstat (limited to 'selinux/openvswitch-custom.te.in')
-rw-r--r-- | selinux/openvswitch-custom.te.in | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in index 556e9d6a3..5bd2e1274 100644 --- a/selinux/openvswitch-custom.te.in +++ b/selinux/openvswitch-custom.te.in @@ -37,7 +37,7 @@ require { type vfio_device_t; @end_dpdk@ - class capability { dac_override audit_write }; + class capability { dac_override audit_write net_broadcast net_raw }; class chr_file { write getattr read open ioctl }; class dir { write remove_name add_name lock read getattr search open }; class fd { use }; @@ -70,7 +70,7 @@ domain_entry_file(openvswitch_load_module_t, openvswitch_load_module_exec_t); domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load_module_t); #============= openvswitch_t ============== -allow openvswitch_t self:capability { dac_override audit_write }; +allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw }; allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write }; allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read }; |