selinux/openvswitch-custom.te.in


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149

# SPDX-License-Identifier: Apache-2.0

module openvswitch-custom @VERSION@;

require {
        role system_r;
        role object_r;

        type openvswitch_t;
        type openvswitch_rw_t;
        type openvswitch_tmp_t;
        type openvswitch_var_run_t;

        type bin_t;
        type ifconfig_exec_t;
        type init_t;
        type init_var_run_t;
        type insmod_exec_t;
        type kernel_t;
        type hostname_exec_t;
        type modules_conf_t;
        type modules_dep_t;
        type modules_object_t;
        type passwd_file_t;
        type plymouth_exec_t;
        type proc_t;
        type shell_exec_t;
        type sssd_t;
        type sssd_public_t;
        type sssd_var_lib_t;
        type sysfs_t;
        type systemd_unit_file_t;
        type tun_tap_device_t;

@begin_dpdk@
        type hugetlbfs_t;
        type svirt_t;
        type svirt_image_t;
        type svirt_tmpfs_t;
        type vfio_device_t;
        type zero_device_t;
@end_dpdk@

        class capability { dac_override audit_write net_broadcast net_raw };
        class chr_file { write getattr read open ioctl map };
        class dir { write remove_name add_name lock read getattr search open };
        class fd { use };
        class file { map write getattr read open execute execute_no_trans create unlink map entrypoint lock ioctl };
        class fifo_file { getattr read write append ioctl lock open };
        class filesystem getattr;
        class lnk_file { read open };
        class netlink_audit_socket { create nlmsg_relay audit_write read write };
        class netlink_netfilter_socket { create nlmsg_relay audit_write read write };
@begin_dpdk@
        class netlink_rdma_socket { setopt bind create };
@end_dpdk@
        class netlink_socket { setopt getopt create connect getattr write read };
        class sock_file { write };
        class system { module_load module_request };
        class process { sigchld signull transition noatsecure siginh rlimitinh };
        class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom ioctl };

@begin_dpdk@
        class sock_file { read append getattr open };
        class tun_socket { relabelfrom relabelto create };
@end_dpdk@
}

#============= Set up the transition domain =============
type openvswitch_load_module_exec_t;
type openvswitch_load_module_t;

domain_type(openvswitch_load_module_exec_t);
domain_type(openvswitch_load_module_t);
role object_r types openvswitch_load_module_exec_t;
role system_r types openvswitch_load_module_t;
domain_entry_file(openvswitch_load_module_t, openvswitch_load_module_exec_t);
domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load_module_t);

#============= openvswitch_t ==============
allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw };
allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write };
allow openvswitch_t self:netlink_netfilter_socket { create nlmsg_relay audit_write read write };
@begin_dpdk@
allow openvswitch_t self:netlink_rdma_socket { setopt bind create };
@end_dpdk@
allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read };

allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans };
allow openvswitch_t ifconfig_exec_t:file { read getattr open execute execute_no_trans };

allow openvswitch_t openvswitch_rw_t:dir { write remove_name add_name lock read getattr open search };
allow openvswitch_t openvswitch_rw_t:file { write getattr read open execute execute_no_trans create unlink };
allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans };
allow openvswitch_t openvswitch_tmp_t:unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom };
allow openvswitch_t openvswitch_var_run_t:dir { getattr read open search write remove_name add_name lock };
allow openvswitch_t openvswitch_var_run_t:file { map open read write getattr create unlink };
allow openvswitch_t tun_tap_device_t:chr_file { read write getattr open ioctl };

@begin_dpdk@
allow openvswitch_t hugetlbfs_t:dir { write remove_name add_name lock read };
allow openvswitch_t hugetlbfs_t:file { create unlink map };
allow openvswitch_t kernel_t:unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom };
allow openvswitch_t self:tun_socket { relabelfrom relabelto create };
allow openvswitch_t svirt_image_t:file { getattr read write };
allow openvswitch_t svirt_tmpfs_t:file { read write };
allow openvswitch_t svirt_tmpfs_t:sock_file { read write append getattr open };
allow openvswitch_t svirt_t:unix_stream_socket { connectto read write getattr sendto recvfrom setopt };
allow openvswitch_t vfio_device_t:chr_file { read write open ioctl getattr };
allow openvswitch_t zero_device_t:chr_file { read open getattr map };
@end_dpdk@

#============= Transition allows =============
type_transition openvswitch_t openvswitch_load_module_exec_t:process openvswitch_load_module_t;
allow openvswitch_t openvswitch_load_module_exec_t:file { execute read open getattr };
allow openvswitch_t openvswitch_load_module_t:process transition;

allow openvswitch_load_module_t bin_t:file { execute execute_no_trans map };
allow openvswitch_load_module_t init_t:unix_stream_socket { getattr ioctl read write };
allow openvswitch_load_module_t init_var_run_t:dir { getattr read open search };
allow openvswitch_load_module_t insmod_exec_t:file { execute execute_no_trans getattr map open read };
allow openvswitch_load_module_t kernel_t:system module_request;
allow openvswitch_load_module_t modules_conf_t:dir { getattr open read search };
allow openvswitch_load_module_t modules_conf_t:file { getattr open read };
allow openvswitch_load_module_t modules_dep_t:file { getattr map open read };
allow openvswitch_load_module_t modules_object_t:file { map getattr open read };
allow openvswitch_load_module_t modules_object_t:dir { getattr open read search };
allow openvswitch_load_module_t openvswitch_load_module_exec_t:file { entrypoint };
allow openvswitch_load_module_t passwd_file_t:file { getattr open read };
allow openvswitch_load_module_t plymouth_exec_t:file { getattr read open execute execute_no_trans map };
allow openvswitch_load_module_t proc_t:file { getattr open read };
allow openvswitch_load_module_t self:system module_load;
allow openvswitch_load_module_t self:process { siginh noatsecure rlimitinh siginh };
allow openvswitch_load_module_t shell_exec_t:file { map execute execute_no_trans read open getattr };
allow openvswitch_load_module_t sssd_public_t:dir { getattr open read search };
allow openvswitch_load_module_t sssd_public_t:file { getattr map open read };
allow openvswitch_load_module_t sssd_t:unix_stream_socket connectto;
allow openvswitch_load_module_t sssd_var_lib_t:dir { getattr open read search };
allow openvswitch_load_module_t sssd_var_lib_t:sock_file write;
allow openvswitch_load_module_t sysfs_t:dir { getattr open read search };
allow openvswitch_load_module_t sysfs_t:file { open read };
allow openvswitch_load_module_t sysfs_t:lnk_file { read open };
allow openvswitch_load_module_t systemd_unit_file_t:dir getattr;

# no need to grant search permissions for this - and no need to emit
# an error, either.
dontaudit openvswitch_load_module_t openvswitch_var_run_t:dir { search };

kernel_load_module(openvswitch_load_module_t);