# SPDX-License-Identifier: Apache-2.0 module openvswitch-custom @VERSION@; require { role system_r; role object_r; type openvswitch_t; type openvswitch_rw_t; type openvswitch_tmp_t; type openvswitch_var_run_t; type bin_t; type ifconfig_exec_t; type init_t; type init_var_run_t; type insmod_exec_t; type kernel_t; type hostname_exec_t; type modules_conf_t; type modules_dep_t; type modules_object_t; type passwd_file_t; type plymouth_exec_t; type proc_t; type shell_exec_t; type sssd_t; type sssd_public_t; type sssd_var_lib_t; type sysfs_t; type systemd_unit_file_t; type tun_tap_device_t; @begin_dpdk@ type hugetlbfs_t; type svirt_t; type svirt_image_t; type svirt_tmpfs_t; type vfio_device_t; type zero_device_t; @end_dpdk@ class capability { dac_override audit_write net_broadcast net_raw }; class chr_file { write getattr read open ioctl map }; class dir { write remove_name add_name lock read getattr search open }; class fd { use }; class file { map write getattr read open execute execute_no_trans create unlink map entrypoint lock ioctl }; class fifo_file { getattr read write append ioctl lock open }; class filesystem getattr; class lnk_file { read open }; class netlink_audit_socket { create nlmsg_relay audit_write read write }; class netlink_netfilter_socket { create nlmsg_relay audit_write read write }; @begin_dpdk@ class netlink_rdma_socket { setopt bind create }; @end_dpdk@ class netlink_socket { setopt getopt create connect getattr write read }; class sock_file { write }; class system { module_load module_request }; class process { sigchld signull transition noatsecure siginh rlimitinh }; class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom ioctl }; @begin_dpdk@ class sock_file { read append getattr open }; class tun_socket { relabelfrom relabelto create }; @end_dpdk@ } #============= Set up the transition domain ============= type openvswitch_load_module_exec_t; type openvswitch_load_module_t; domain_type(openvswitch_load_module_exec_t); domain_type(openvswitch_load_module_t); role object_r types openvswitch_load_module_exec_t; role system_r types openvswitch_load_module_t; domain_entry_file(openvswitch_load_module_t, openvswitch_load_module_exec_t); domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load_module_t); #============= openvswitch_t ============== allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw }; allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write }; allow openvswitch_t self:netlink_netfilter_socket { create nlmsg_relay audit_write read write }; @begin_dpdk@ allow openvswitch_t self:netlink_rdma_socket { setopt bind create }; @end_dpdk@ allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read }; allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans }; allow openvswitch_t ifconfig_exec_t:file { read getattr open execute execute_no_trans }; allow openvswitch_t openvswitch_rw_t:dir { write remove_name add_name lock read getattr open search }; allow openvswitch_t openvswitch_rw_t:file { write getattr read open execute execute_no_trans create unlink }; allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans }; allow openvswitch_t openvswitch_tmp_t:unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom }; allow openvswitch_t openvswitch_var_run_t:dir { getattr read open search write remove_name add_name lock }; allow openvswitch_t openvswitch_var_run_t:file { map open read write getattr create unlink }; allow openvswitch_t tun_tap_device_t:chr_file { read write getattr open ioctl }; @begin_dpdk@ allow openvswitch_t hugetlbfs_t:dir { write remove_name add_name lock read }; allow openvswitch_t hugetlbfs_t:file { create unlink map }; allow openvswitch_t kernel_t:unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom }; allow openvswitch_t self:tun_socket { relabelfrom relabelto create }; allow openvswitch_t svirt_image_t:file { getattr read write }; allow openvswitch_t svirt_tmpfs_t:file { read write }; allow openvswitch_t svirt_tmpfs_t:sock_file { read write append getattr open }; allow openvswitch_t svirt_t:unix_stream_socket { connectto read write getattr sendto recvfrom setopt }; allow openvswitch_t vfio_device_t:chr_file { read write open ioctl getattr }; allow openvswitch_t zero_device_t:chr_file { read open getattr map }; @end_dpdk@ #============= Transition allows ============= type_transition openvswitch_t openvswitch_load_module_exec_t:process openvswitch_load_module_t; allow openvswitch_t openvswitch_load_module_exec_t:file { execute read open getattr }; allow openvswitch_t openvswitch_load_module_t:process transition; allow openvswitch_load_module_t bin_t:file { execute execute_no_trans map }; allow openvswitch_load_module_t init_t:unix_stream_socket { getattr ioctl read write }; allow openvswitch_load_module_t init_var_run_t:dir { getattr read open search }; allow openvswitch_load_module_t insmod_exec_t:file { execute execute_no_trans getattr map open read }; allow openvswitch_load_module_t kernel_t:system module_request; allow openvswitch_load_module_t modules_conf_t:dir { getattr open read search }; allow openvswitch_load_module_t modules_conf_t:file { getattr open read }; allow openvswitch_load_module_t modules_dep_t:file { getattr map open read }; allow openvswitch_load_module_t modules_object_t:file { map getattr open read }; allow openvswitch_load_module_t modules_object_t:dir { getattr open read search }; allow openvswitch_load_module_t openvswitch_load_module_exec_t:file { entrypoint }; allow openvswitch_load_module_t passwd_file_t:file { getattr open read }; allow openvswitch_load_module_t plymouth_exec_t:file { getattr read open execute execute_no_trans map }; allow openvswitch_load_module_t proc_t:file { getattr open read }; allow openvswitch_load_module_t self:system module_load; allow openvswitch_load_module_t self:process { siginh noatsecure rlimitinh siginh }; allow openvswitch_load_module_t shell_exec_t:file { map execute execute_no_trans read open getattr }; allow openvswitch_load_module_t sssd_public_t:dir { getattr open read search }; allow openvswitch_load_module_t sssd_public_t:file { getattr map open read }; allow openvswitch_load_module_t sssd_t:unix_stream_socket connectto; allow openvswitch_load_module_t sssd_var_lib_t:dir { getattr open read search }; allow openvswitch_load_module_t sssd_var_lib_t:sock_file write; allow openvswitch_load_module_t sysfs_t:dir { getattr open read search }; allow openvswitch_load_module_t sysfs_t:file { open read }; allow openvswitch_load_module_t sysfs_t:lnk_file { read open }; allow openvswitch_load_module_t systemd_unit_file_t:dir getattr; # no need to grant search permissions for this - and no need to emit # an error, either. dontaudit openvswitch_load_module_t openvswitch_var_run_t:dir { search }; kernel_load_module(openvswitch_load_module_t);