diff options
| author | Joe Stringer <joe@ovn.org> | 2016-07-22 14:10:51 -0700 |
|---|---|---|
| committer | Joe Stringer <joe@ovn.org> | 2016-07-26 12:37:23 -0700 |
| commit | 5e2e3ada0f6fbfb01aae350b254353d628a655b6 (patch) | |
| tree | 3b00a398764bec5de7f48031e1780227eafe8c09 /selinux | |
| parent | 30b79363b9675a9ff8e08da7f892fe1ca19bd741 (diff) | |
| download | openvswitch-5e2e3ada0f6fbfb01aae350b254353d628a655b6.tar.gz | |
selinux: Allow ovs-ctl force-reload-kmod.
When invoking ovs-ctl force-reload-kmod via '/etc/init.d/openvswitch
force-reload-kmod', spurious errors would output related to 'hostname'
and 'ip', and the system's selinux audit log would complain about some
of the invocations such as those listed at the end of this commit message.
This patch loosens restrictions for openvswitch_t (used for ovs-ctl, as
well as all of the OVS daemons) to allow it to execute 'hostname' and
'ip' commands, and also to execute temporary files created as
openvswitch_tmp_t. This allows force-reload-kmod to run correctly.
Example audit logs:
type=AVC msg=audit(1468515192.912:16720): avc: denied { getattr } for
pid=11687 comm="ovs-ctl" path="/usr/bin/hostname" dev="dm-1"
ino=33557805 scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
type=AVC msg=audit(1468519445.766:16829): avc: denied { getattr } for
pid=13920 comm="ovs-save" path="/usr/sbin/ip" dev="dm-1" ino=67572988
scontext=unconfined_u:system_r:openvswitch_t:s0
tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1468519445.890:16833): avc: denied { execute } for
pid=13849 comm="ovs-ctl" name="tmp.jdEGHntG3Z" dev="dm-1" ino=106876762
scontext=unconfined_u:system_r:openvswitch_t:s0
tcontext=unconfined_u:object_r:openvswitch_tmp_t:s0 tclass=file
VMware-BZ: #1692972
Signed-off-by: Joe Stringer <joe@ovn.org>
Acked-by: Flavio Leitner <fbl@sysclose.org>
Diffstat (limited to 'selinux')
| -rw-r--r-- | selinux/openvswitch-custom.te | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/selinux/openvswitch-custom.te b/selinux/openvswitch-custom.te index fc32b97ea..47ddb562c 100644 --- a/selinux/openvswitch-custom.te +++ b/selinux/openvswitch-custom.te @@ -1,9 +1,16 @@ -module openvswitch-custom 1.0; +module openvswitch-custom 1.0.1; require { type openvswitch_t; + type openvswitch_tmp_t; + type ifconfig_exec_t; + type hostname_exec_t; class netlink_socket { setopt getopt create connect getattr write read }; + class file { write getattr read open execute execute_no_trans }; } #============= openvswitch_t ============== allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read }; +allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans }; +allow openvswitch_t ifconfig_exec_t:file { read getattr open execute execute_no_trans }; +allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans }; |