diff options
| author | Aaron Conole <aconole@redhat.com> | 2017-08-31 19:22:43 -0400 |
|---|---|---|
| committer | Ansis Atteka <aatteka@ovn.org> | 2017-08-31 16:27:16 -0700 |
| commit | 7bc1aae71e8908d775d988f82f683533f253e6f4 (patch) | |
| tree | e45aea477c6f696fdcdb57a227d501e44cafa6cb /selinux/openvswitch-custom.te.in | |
| parent | ab27bfa6dc2926ff46b9d2bac40b6807a700738c (diff) | |
| download | openvswitch-7bc1aae71e8908d775d988f82f683533f253e6f4.tar.gz | |
rhel: make the selinux policy intermediate
This will be used by an upcoming commit to have @begin_ and @end_ dpdk
blocks to keep dpdk specific policy decisions only active when dpdk is
used.
Acked-by: Flavio Leitner <fbl@sysclose.org>
Acked-by: Ansis Atteka <aatteka@ovn.org>
Signed-off-by: Aaron Conole <aconole@redhat.com>
Tested-by: Jean Hsiao <jhsiao@redhat.com>
Diffstat (limited to 'selinux/openvswitch-custom.te.in')
| -rw-r--r-- | selinux/openvswitch-custom.te.in | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in new file mode 100644 index 000000000..47ddb562c --- /dev/null +++ b/selinux/openvswitch-custom.te.in @@ -0,0 +1,16 @@ +module openvswitch-custom 1.0.1; + +require { + type openvswitch_t; + type openvswitch_tmp_t; + type ifconfig_exec_t; + type hostname_exec_t; + class netlink_socket { setopt getopt create connect getattr write read }; + class file { write getattr read open execute execute_no_trans }; +} + +#============= openvswitch_t ============== +allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read }; +allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans }; +allow openvswitch_t ifconfig_exec_t:file { read getattr open execute execute_no_trans }; +allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans }; |