Message ID | 20180601182849.12984-4-aconole@redhat.com |
---|---|
State | Accepted |
Headers | show |
Series | selinux: introduce a transition domain for loading kmods | expand |
On Fri, 1 Jun 2018 at 11:28, Aaron Conole <aconole@redhat.com> wrote: > > The ovs-vswitchd daemon requires both CAP_NET_RAW and > CAP_NET_BROADCAST, but these are generally policy prevented by > selinux. This allows these capabilities to be retained by the > openvswitch_t domain. > > example: > > type=AVC msg=audit(1527876508.109:3043): avc: denied { > net_broadcast } for pid=5368 comm="ovs-vswitchd" capability=11 > scontext=system_u:system_r:openvswitch_t:s0 > tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=0 > > type=AVC msg=audit(1527876508.109:3043): avc: denied { > net_raw } for pid=5368 comm="ovs-vswitchd" capability=11 > scontext=system_u:system_r:openvswitch_t:s0 > tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=0 > > Signed-off-by: Aaron Conole <aconole@redhat.com> Acked-by: Ansis Atteka <aatteka@ovn.org> > --- > selinux/openvswitch-custom.te.in | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in > index 556e9d6a3..5bd2e1274 100644 > --- a/selinux/openvswitch-custom.te.in > +++ b/selinux/openvswitch-custom.te.in > @@ -37,7 +37,7 @@ require { > type vfio_device_t; > @end_dpdk@ > > - class capability { dac_override audit_write }; > + class capability { dac_override audit_write net_broadcast net_raw }; > class chr_file { write getattr read open ioctl }; > class dir { write remove_name add_name lock read getattr search open }; > class fd { use }; > @@ -70,7 +70,7 @@ domain_entry_file(openvswitch_load_module_t, openvswitch_load_module_exec_t); > domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load_module_t); > > #============= openvswitch_t ============== > -allow openvswitch_t self:capability { dac_override audit_write }; > +allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw }; > allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write }; > allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read }; > > -- > 2.14.3 >
diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in index 556e9d6a3..5bd2e1274 100644 --- a/selinux/openvswitch-custom.te.in +++ b/selinux/openvswitch-custom.te.in @@ -37,7 +37,7 @@ require { type vfio_device_t; @end_dpdk@ - class capability { dac_override audit_write }; + class capability { dac_override audit_write net_broadcast net_raw }; class chr_file { write getattr read open ioctl }; class dir { write remove_name add_name lock read getattr search open }; class fd { use }; @@ -70,7 +70,7 @@ domain_entry_file(openvswitch_load_module_t, openvswitch_load_module_exec_t); domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load_module_t); #============= openvswitch_t ============== -allow openvswitch_t self:capability { dac_override audit_write }; +allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw }; allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write }; allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read };
The ovs-vswitchd daemon requires both CAP_NET_RAW and CAP_NET_BROADCAST, but these are generally policy prevented by selinux. This allows these capabilities to be retained by the openvswitch_t domain. example: type=AVC msg=audit(1527876508.109:3043): avc: denied { net_broadcast } for pid=5368 comm="ovs-vswitchd" capability=11 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=0 type=AVC msg=audit(1527876508.109:3043): avc: denied { net_raw } for pid=5368 comm="ovs-vswitchd" capability=11 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=0 Signed-off-by: Aaron Conole <aconole@redhat.com> --- selinux/openvswitch-custom.te.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)