summaryrefslogtreecommitdiff
path: root/selinux/openvswitch-custom.te.in
diff options
context:
space:
mode:
Diffstat (limited to 'selinux/openvswitch-custom.te.in')
-rw-r--r--selinux/openvswitch-custom.te.in40
1 files changed, 39 insertions, 1 deletions
diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in
index 47ddb562c..853de1618 100644
--- a/selinux/openvswitch-custom.te.in
+++ b/selinux/openvswitch-custom.te.in
@@ -2,15 +2,53 @@ module openvswitch-custom 1.0.1;
require {
type openvswitch_t;
+ type openvswitch_rw_t;
type openvswitch_tmp_t;
+ type openvswitch_var_run_t;
+
type ifconfig_exec_t;
type hostname_exec_t;
+ type tun_tap_device_t;
+
+@begin_dpdk@
+ type hugetlbfs_t;
+ type kernel_t;
+ type svirt_image_t;
+ type vfio_device_t;
+@end_dpdk@
+
+ class capability { dac_override audit_write };
+ class dir { write remove_name add_name lock read };
+ class file { write getattr read open execute execute_no_trans create unlink };
+ class netlink_audit_socket { create nlmsg_relay audit_write read write };
class netlink_socket { setopt getopt create connect getattr write read };
- class file { write getattr read open execute execute_no_trans };
+ class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom };
+
+@begin_dpdk@
+ class chr_file { write getattr read open ioctl };
+ class tun_socket { relabelfrom relabelto create };
+@end_dpdk@
}
#============= openvswitch_t ==============
+allow openvswitch_t self:capability { dac_override audit_write };
+allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write };
allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read };
+
allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans };
allow openvswitch_t ifconfig_exec_t:file { read getattr open execute execute_no_trans };
+
+allow openvswitch_t openvswitch_rw_t:dir { write remove_name add_name lock read };
+allow openvswitch_t openvswitch_rw_t:file { write getattr read open execute execute_no_trans create unlink };
allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans };
+allow openvswitch_t openvswitch_tmp_t:unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom };
+allow openvswitch_t tun_tap_device_t:chr_file { read write getattr open ioctl };
+
+@begin_dpdk@
+allow openvswitch_t hugetlbfs_t:dir { write remove_name add_name lock read };
+allow openvswitch_t hugetlbfs_t:file { create unlink };
+allow openvswitch_t kernel_t:unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom };
+allow openvswitch_t self:tun_socket { relabelfrom relabelto create };
+allow openvswitch_t svirt_image_t:file { getattr read write };
+allow openvswitch_t vfio_device_t:chr_file { read write open ioctl getattr };
+@end_dpdk@
View Lorry Controller Status