diff options
| author | Aaron Conole <aconole@redhat.com> | 2018-06-01 14:28:45 -0400 |
|---|---|---|
| committer | Ansis Atteka <aatteka@ovn.org> | 2018-06-17 19:32:12 -0700 |
| commit | 6cd775f423f7a0e841d420d709d5cb69afeb2753 (patch) | |
| tree | 882d979f89b35acf320efc02aa2f614f353a6669 /selinux | |
| parent | 15117123c53ef35394667bf156842842949aaa47 (diff) | |
| download | openvswitch-6cd775f423f7a0e841d420d709d5cb69afeb2753.tar.gz | |
selinux: create a transition type for module loading
Defines a type 'openvswitch_load_module_t' used exclusively for loading
modules. This means that the 'openvswitch_t' domain won't require
access to the module loading facility - such access can only happen
after transitioning through the 'openvswitch_load_module_exec_t'
transition context.
A future commit will instruct the selinux policy on how to label the
appropriate script with extended attributes to make use of this new domain.
Acked-by: Ansis Atteka <aatteka@ovn.org>
Acked-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Aaron Conole <aconole@redhat.com>
Diffstat (limited to 'selinux')
| -rw-r--r-- | selinux/openvswitch-custom.te.in | 83 |
1 files changed, 78 insertions, 5 deletions
diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in index db3cf6d8d..556e9d6a3 100644 --- a/selinux/openvswitch-custom.te.in +++ b/selinux/openvswitch-custom.te.in @@ -1,13 +1,31 @@ module openvswitch-custom 1.0.1; require { + role system_r; + role object_r; + type openvswitch_t; type openvswitch_rw_t; type openvswitch_tmp_t; type openvswitch_var_run_t; + type bin_t; type ifconfig_exec_t; + type init_t; + type init_var_run_t; + type insmod_exec_t; type hostname_exec_t; + type modules_conf_t; + type modules_object_t; + type passwd_file_t; + type plymouth_exec_t; + type proc_t; + type shell_exec_t; + type sssd_t; + type sssd_public_t; + type sssd_var_lib_t; + type sysfs_t; + type systemd_unit_file_t; type tun_tap_device_t; @begin_dpdk@ @@ -21,18 +39,36 @@ require { class capability { dac_override audit_write }; class chr_file { write getattr read open ioctl }; - class dir { write remove_name add_name lock read }; - class file { write getattr read open execute execute_no_trans create unlink }; + class dir { write remove_name add_name lock read getattr search open }; + class fd { use }; + class file { write getattr read open execute execute_no_trans create unlink map entrypoint lock ioctl }; + class fifo_file { getattr read write append ioctl lock open }; + class filesystem getattr; + class lnk_file { read open }; class netlink_audit_socket { create nlmsg_relay audit_write read write }; class netlink_socket { setopt getopt create connect getattr write read }; - class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom }; + class sock_file { write }; + class system module_load; + class process { sigchld signull transition noatsecure siginh rlimitinh }; + class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom ioctl }; @begin_dpdk@ - class sock_file { read write append getattr open }; + class sock_file { read append getattr open }; class tun_socket { relabelfrom relabelto create }; @end_dpdk@ } +#============= Set up the transition domain ============= +type openvswitch_load_module_exec_t; +type openvswitch_load_module_t; + +domain_type(openvswitch_load_module_exec_t); +domain_type(openvswitch_load_module_t); +role object_r types openvswitch_load_module_exec_t; +role system_r types openvswitch_load_module_t; +domain_entry_file(openvswitch_load_module_t, openvswitch_load_module_exec_t); +domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load_module_t); + #============= openvswitch_t ============== allow openvswitch_t self:capability { dac_override audit_write }; allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write }; @@ -41,10 +77,11 @@ allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr w allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans }; allow openvswitch_t ifconfig_exec_t:file { read getattr open execute execute_no_trans }; -allow openvswitch_t openvswitch_rw_t:dir { write remove_name add_name lock read }; +allow openvswitch_t openvswitch_rw_t:dir { write remove_name add_name lock read getattr open search }; allow openvswitch_t openvswitch_rw_t:file { write getattr read open execute execute_no_trans create unlink }; allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans }; allow openvswitch_t openvswitch_tmp_t:unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom }; +allow openvswitch_t openvswitch_var_run_t:dir { getattr read open search }; allow openvswitch_t tun_tap_device_t:chr_file { read write getattr open ioctl }; @begin_dpdk@ @@ -58,3 +95,39 @@ allow openvswitch_t svirt_tmpfs_t:sock_file { read write append getattr open }; allow openvswitch_t svirt_t:unix_stream_socket { connectto read write getattr sendto recvfrom setopt }; allow openvswitch_t vfio_device_t:chr_file { read write open ioctl getattr }; @end_dpdk@ + +#============= Transition allows ============= +type_transition openvswitch_t openvswitch_load_module_exec_t:process openvswitch_load_module_t; +allow openvswitch_t openvswitch_load_module_exec_t:file { execute read open getattr }; +allow openvswitch_t openvswitch_load_module_t:process transition; + +allow openvswitch_load_module_t bin_t:file { execute execute_no_trans map }; +allow openvswitch_load_module_t init_t:unix_stream_socket { getattr ioctl read write }; +allow openvswitch_load_module_t init_var_run_t:dir { getattr read open search }; +allow openvswitch_load_module_t insmod_exec_t:file { execute execute_no_trans getattr map open read }; +allow openvswitch_load_module_t modules_conf_t:dir { getattr open read search }; +allow openvswitch_load_module_t modules_conf_t:file { getattr open read }; +allow openvswitch_load_module_t modules_object_t:file { map getattr open read }; +allow openvswitch_load_module_t modules_object_t:dir { getattr open read search }; +allow openvswitch_load_module_t openvswitch_load_module_exec_t:file { entrypoint }; +allow openvswitch_load_module_t passwd_file_t:file { getattr open read }; +allow openvswitch_load_module_t plymouth_exec_t:file { getattr read open execute execute_no_trans map }; +allow openvswitch_load_module_t proc_t:file { getattr open read }; +allow openvswitch_load_module_t self:system module_load; +allow openvswitch_load_module_t self:process { siginh noatsecure rlimitinh siginh }; +allow openvswitch_load_module_t shell_exec_t:file { map execute read open getattr }; +allow openvswitch_load_module_t sssd_public_t:dir { getattr open read search }; +allow openvswitch_load_module_t sssd_public_t:file { getattr map open read }; +allow openvswitch_load_module_t sssd_t:unix_stream_socket connectto; +allow openvswitch_load_module_t sssd_var_lib_t:dir { getattr open read search }; +allow openvswitch_load_module_t sssd_var_lib_t:sock_file write; +allow openvswitch_load_module_t sysfs_t:dir { getattr open read search }; +allow openvswitch_load_module_t sysfs_t:file { open read }; +allow openvswitch_load_module_t sysfs_t:lnk_file { read open }; +allow openvswitch_load_module_t systemd_unit_file_t:dir getattr; + +# no need to grant search permissions for this - and no need to emit +# an error, either. +dontaudit openvswitch_load_module_t openvswitch_var_run_t:dir { search }; + +kernel_load_module(openvswitch_load_module_t); |