diff options
| author | Aaron Conole <aconole@redhat.com> | 2019-04-17 16:07:25 -0400 |
|---|---|---|
| committer | Ansis Atteka <aatteka@ovn.org> | 2019-04-21 14:03:02 -0700 |
| commit | abf85df81a1458d0e97f5a001586898a70b79529 (patch) | |
| tree | 6821acb2c97367548ab62d31dd23c8bf895fe7f8 /selinux | |
| parent | af741ca3466f6095ce8e4f6ff278d50a25ba7022 (diff) | |
| download | openvswitch-abf85df81a1458d0e97f5a001586898a70b79529.tar.gz | |
selinux: update for netlink socket types
These are used for interfacing with conntrack, as well as by some
DPDK PMDs
Signed-off-by: Aaron Conole <aconole@redhat.com>
Acked-by: Ansis Atteka <aatteka@ovn.org>
Diffstat (limited to 'selinux')
| -rw-r--r-- | selinux/openvswitch-custom.te.in | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in index 26495828a..2adaf231f 100644 --- a/selinux/openvswitch-custom.te.in +++ b/selinux/openvswitch-custom.te.in @@ -49,6 +49,10 @@ require { class filesystem getattr; class lnk_file { read open }; class netlink_audit_socket { create nlmsg_relay audit_write read write }; + class netlink_netfilter_socket { create nlmsg_relay audit_write read write }; +@begin_dpdk@ + class netlink_rdma_socket { setopt bind create }; +@end_dpdk@ class netlink_socket { setopt getopt create connect getattr write read }; class sock_file { write }; class system { module_load module_request }; @@ -75,6 +79,10 @@ domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load #============= openvswitch_t ============== allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw }; allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write }; +allow openvswitch_t self:netlink_netfilter_socket { create nlmsg_relay audit_write read write }; +@begin_dpdk@ +allow openvswitch_t self:netlink_rdma_socket { setopt bind create }; +@end_dpdk@ allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read }; allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans }; |