selinux: allow openvswitch_t net_broadcast and net_raw

The ovs-vswitchd daemon requires both CAP_NET_RAW and
CAP_NET_BROADCAST, but these are generally policy prevented by
selinux.  This allows these capabilities to be retained by the
openvswitch_t domain.

example:

  type=AVC msg=audit(1527876508.109:3043): avc:  denied  {
  net_broadcast } for pid=5368 comm="ovs-vswitchd" capability=11
  scontext=system_u:system_r:openvswitch_t:s0
  tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=0

  type=AVC msg=audit(1527876508.109:3043): avc:  denied  {
  net_raw } for pid=5368 comm="ovs-vswitchd" capability=11
  scontext=system_u:system_r:openvswitch_t:s0
  tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=0

Acked-by: Ansis Atteka <aatteka@ovn.org>
Signed-off-by: Aaron Conole <aconole@redhat.com>

1 files changed, 2 insertions, 2 deletions

diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in
index 556e9d6a3..5bd2e1274 100644
--- a/selinux/openvswitch-custom.te.in
+++ b/selinux/openvswitch-custom.te.in
@@ -37,7 +37,7 @@ require {
         type vfio_device_t;
 @end_dpdk@
 
-        class capability { dac_override audit_write };
+        class capability { dac_override audit_write net_broadcast net_raw };
         class chr_file { write getattr read open ioctl };
         class dir { write remove_name add_name lock read getattr search open };
         class fd { use };
@@ -70,7 +70,7 @@ domain_entry_file(openvswitch_load_module_t, openvswitch_load_module_exec_t);
 domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load_module_t);
 
 #============= openvswitch_t ==============
-allow openvswitch_t self:capability { dac_override audit_write };
+allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw };
 allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write };
 allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read };