From 7bc1aae71e8908d775d988f82f683533f253e6f4 Mon Sep 17 00:00:00 2001
From: Aaron Conole <aconole@redhat.com>
Date: Thu, 31 Aug 2017 19:22:43 -0400
Subject: rhel: make the selinux policy intermediate

This will be used by an upcoming commit to have @begin_ and @end_ dpdk
blocks to keep dpdk specific policy decisions only active when dpdk is
used.

Acked-by: Flavio Leitner <fbl@sysclose.org>
Acked-by: Ansis Atteka <aatteka@ovn.org>
Signed-off-by: Aaron Conole <aconole@redhat.com>
Tested-by: Jean Hsiao <jhsiao@redhat.com>
---
 selinux/openvswitch-custom.te.in | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 selinux/openvswitch-custom.te.in

(limited to 'selinux/openvswitch-custom.te.in')

diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in
new file mode 100644
index 000000000..47ddb562c
--- /dev/null
+++ b/selinux/openvswitch-custom.te.in
@@ -0,0 +1,16 @@
+module openvswitch-custom 1.0.1;
+
+require {
+        type openvswitch_t;
+        type openvswitch_tmp_t;
+        type ifconfig_exec_t;
+        type hostname_exec_t;
+        class netlink_socket { setopt getopt create connect getattr write read };
+        class file { write getattr read open execute execute_no_trans };
+}
+
+#============= openvswitch_t ==============
+allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read };
+allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans };
+allow openvswitch_t ifconfig_exec_t:file { read getattr open execute execute_no_trans };
+allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans };
-- 
cgit v1.2.1