From 135901ae4de2822a20b2450d6251f70287916bf2 Mon Sep 17 00:00:00 2001 From: Aaron Conole Date: Fri, 1 Jun 2018 14:28:46 -0400 Subject: selinux: allow openvswitch_t net_broadcast and net_raw The ovs-vswitchd daemon requires both CAP_NET_RAW and CAP_NET_BROADCAST, but these are generally policy prevented by selinux. This allows these capabilities to be retained by the openvswitch_t domain. example: type=AVC msg=audit(1527876508.109:3043): avc: denied { net_broadcast } for pid=5368 comm="ovs-vswitchd" capability=11 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=0 type=AVC msg=audit(1527876508.109:3043): avc: denied { net_raw } for pid=5368 comm="ovs-vswitchd" capability=11 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=0 Acked-by: Ansis Atteka Signed-off-by: Aaron Conole --- selinux/openvswitch-custom.te.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'selinux/openvswitch-custom.te.in') diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in index 556e9d6a3..5bd2e1274 100644 --- a/selinux/openvswitch-custom.te.in +++ b/selinux/openvswitch-custom.te.in @@ -37,7 +37,7 @@ require { type vfio_device_t; @end_dpdk@ - class capability { dac_override audit_write }; + class capability { dac_override audit_write net_broadcast net_raw }; class chr_file { write getattr read open ioctl }; class dir { write remove_name add_name lock read getattr search open }; class fd { use }; @@ -70,7 +70,7 @@ domain_entry_file(openvswitch_load_module_t, openvswitch_load_module_exec_t); domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load_module_t); #============= openvswitch_t ============== -allow openvswitch_t self:capability { dac_override audit_write }; +allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw }; allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write }; allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read }; -- cgit v1.2.1