Message ID | 20180320210518.9982-3-aconole@redhat.com |
---|---|
State | Changes Requested |
Headers | show |
Series | selinux: introduce a transition domain for loading kmods | expand |
On 20 March 2018 at 14:05, Aaron Conole <aconole@redhat.com> wrote: > Defines a type 'openvswitch_load_module_t' used exclusively for loading > modules. This means that the 'openvswitch_t' domain won't require > modules Are you sure the bootstrapping to intended openvswitch_load_module_t happens properly? In my case it does not appear to happen correctly, because the ovs-kmod-ctl does not have the right SElinux type: [vagrant@centosbuilder ~]$ ls -Z /usr/share/openvswitch/scripts/ovs-kmod-ctl -rwxr-xr-x. root root system_u:object_r:usr_t:s0 /usr/share/openvswitch/scripts/ovs-kmod-ctl and then in "ps -Z" I see: unconfined_u:system_r:openvswitch_t:s0 root 32013 31995 0 21:37 ? 00:00:00 /bin/sh /usr/share/openvswitch/scripts/ovs-kmod-ctl insert After manually: # chcon system_u:object_r:openvswitch_load_module_exec_t:s0 /usr/share/openvswitch/scripts/ovs-kmod-ctl I see that in "ps -Z ..." output suddenly the process executing ovs-kmod-ctl transitions to the correct openvswitch_load_module_t type: unconfined_u:system_r:openvswitch_load_module_t:s0 root 12225 12215 0 21:33 ? 00:00:00 /bin/sh /usr/share/openvswitch/scripts/ovs-kmod-ctl insert Is this a bug or am I missing something? > access to the module loading facility - such access can only happen > after transitioning through the 'openvswitch_load_module_exec_t' > transition context. > > A future commit will label the appropriate script with extended attributes > to make use of this new domain. > > Signed-off-by: Aaron Conole <aconole@redhat.com> > --- > selinux/openvswitch-custom.te.in | 79 +++++++++++++++++++++++++++++++++++++--- > 1 file changed, 74 insertions(+), 5 deletions(-) > > diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in > index db3cf6d8d..31e8fab15 100644 > --- a/selinux/openvswitch-custom.te.in > +++ b/selinux/openvswitch-custom.te.in > @@ -1,13 +1,31 @@ > module openvswitch-custom 1.0.1; Unrelated to your series, but I think we should peg the Open vSwitch selinux module version to the Open vSwitch version. What do you think? > > require { > + role system_r; > + role object_r; > + > type openvswitch_t; > type openvswitch_rw_t; > type openvswitch_tmp_t; > type openvswitch_var_run_t; > > + type bin_t; > type ifconfig_exec_t; > + type init_t; > + type init_var_run_t; > + type insmod_exec_t; > type hostname_exec_t; > + type modules_conf_t; > + type modules_object_t; > + type passwd_file_t; > + type plymouth_exec_t; > + type proc_t; > + type shell_exec_t; > + type sssd_t; > + type sssd_public_t; > + type sssd_var_lib_t; > + type sysfs_t; > + type systemd_unit_file_t; > type tun_tap_device_t; > > @begin_dpdk@ > @@ -21,18 +39,36 @@ require { > > class capability { dac_override audit_write }; > class chr_file { write getattr read open ioctl }; > - class dir { write remove_name add_name lock read }; > - class file { write getattr read open execute execute_no_trans create unlink }; > + class dir { write remove_name add_name lock read getattr search open }; > + class fd { use }; > + class file { write getattr read open execute execute_no_trans create unlink map entrypoint lock ioctl }; > + class fifo_file { getattr read write append ioctl lock open }; > + class filesystem getattr; > + class lnk_file { read open }; > class netlink_audit_socket { create nlmsg_relay audit_write read write }; > class netlink_socket { setopt getopt create connect getattr write read }; > - class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom }; > + class sock_file { write }; > + class system module_load; > + class process { sigchld signull transition noatsecure siginh rlimitinh }; > + class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom ioctl }; > > @begin_dpdk@ > - class sock_file { read write append getattr open }; > + class sock_file { read append getattr open }; > class tun_socket { relabelfrom relabelto create }; > @end_dpdk@ > } > > +#============= Set up the transition domain ============= > +type openvswitch_load_module_exec_t; > +type openvswitch_load_module_t; > + > +domain_type(openvswitch_load_module_exec_t); > +domain_type(openvswitch_load_module_t); > +role object_r types openvswitch_load_module_exec_t; > +role system_r types openvswitch_load_module_t; > +domain_entry_file(openvswitch_load_module_t, openvswitch_load_module_exec_t); > +domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load_module_t); > + > #============= openvswitch_t ============== > allow openvswitch_t self:capability { dac_override audit_write }; > allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write }; > @@ -41,10 +77,11 @@ allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr w > allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans }; > allow openvswitch_t ifconfig_exec_t:file { read getattr open execute execute_no_trans }; > > -allow openvswitch_t openvswitch_rw_t:dir { write remove_name add_name lock read }; > +allow openvswitch_t openvswitch_rw_t:dir { write remove_name add_name lock read getattr open search }; I haven't inspected yet. Are these changes above to openswitch_t type related to what you are introducing here? > allow openvswitch_t openvswitch_rw_t:file { write getattr read open execute execute_no_trans create unlink }; > allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans }; > allow openvswitch_t openvswitch_tmp_t:unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom }; > +allow openvswitch_t openvswitch_var_run_t:dir { getattr read open search }; > allow openvswitch_t tun_tap_device_t:chr_file { read write getattr open ioctl }; > > @begin_dpdk@ > @@ -58,3 +95,35 @@ allow openvswitch_t svirt_tmpfs_t:sock_file { read write append getattr open }; > allow openvswitch_t svirt_t:unix_stream_socket { connectto read write getattr sendto recvfrom setopt }; > allow openvswitch_t vfio_device_t:chr_file { read write open ioctl getattr }; > @end_dpdk@ > + > +#============= Transition allows ============= Were these simply autogenerated by audit2allow? > +type_transition openvswitch_t openvswitch_load_module_exec_t:process openvswitch_load_module_t; > +allow openvswitch_t openvswitch_load_module_exec_t:file { execute read open getattr }; > +allow openvswitch_t openvswitch_load_module_t:process transition; > + > +allow openvswitch_load_module_t bin_t:file { execute execute_no_trans map }; > +allow openvswitch_load_module_t init_t:unix_stream_socket { getattr ioctl read write }; > +allow openvswitch_load_module_t init_var_run_t:dir { getattr read open search }; > +allow openvswitch_load_module_t insmod_exec_t:file { execute execute_no_trans getattr map open read }; > +allow openvswitch_load_module_t modules_conf_t:dir { getattr open read search }; > +allow openvswitch_load_module_t modules_conf_t:file { getattr open read }; > +allow openvswitch_load_module_t modules_object_t:file { map getattr open read }; > +allow openvswitch_load_module_t modules_object_t:dir { getattr open read search }; > +allow openvswitch_load_module_t openvswitch_load_module_exec_t:file { entrypoint }; > +allow openvswitch_load_module_t passwd_file_t:file { getattr open read }; > +allow openvswitch_load_module_t plymouth_exec_t:file { getattr read open execute execute_no_trans map }; > +allow openvswitch_load_module_t proc_t:file { getattr open read }; > +allow openvswitch_load_module_t self:system module_load; > +allow openvswitch_load_module_t self:process { siginh noatsecure rlimitinh siginh }; > +allow openvswitch_load_module_t shell_exec_t:file { map execute read open getattr }; > +allow openvswitch_load_module_t sssd_public_t:dir { getattr open read search }; > +allow openvswitch_load_module_t sssd_public_t:file { getattr map open read }; > +allow openvswitch_load_module_t sssd_t:unix_stream_socket connectto; > +allow openvswitch_load_module_t sssd_var_lib_t:dir { getattr open read search }; > +allow openvswitch_load_module_t sssd_var_lib_t:sock_file write; > +allow openvswitch_load_module_t sysfs_t:dir { getattr open read search }; > +allow openvswitch_load_module_t sysfs_t:file { open read }; > +allow openvswitch_load_module_t sysfs_t:lnk_file { read open }; > +allow openvswitch_load_module_t systemd_unit_file_t:dir getattr; > + > +kernel_load_module(openvswitch_load_module_t); > -- > 2.14.3 >
Ansis Atteka <ansisatteka@gmail.com> writes: > On 20 March 2018 at 14:05, Aaron Conole <aconole@redhat.com> wrote: >> Defines a type 'openvswitch_load_module_t' used exclusively for loading >> modules. This means that the 'openvswitch_t' domain won't require >> modules > > Are you sure the bootstrapping to intended openvswitch_load_module_t > happens properly? Are you asking whether the domain works? It did for me. > In my case it does not appear to happen correctly, because the > ovs-kmod-ctl does not have the right SElinux type: > > [vagrant@centosbuilder ~]$ ls -Z /usr/share/openvswitch/scripts/ovs-kmod-ctl > -rwxr-xr-x. root root system_u:object_r:usr_t:s0 > /usr/share/openvswitch/scripts/ovs-kmod-ctl > > and then in "ps -Z" I see: > > unconfined_u:system_r:openvswitch_t:s0 root 32013 31995 0 21:37 ? > 00:00:00 /bin/sh /usr/share/openvswitch/scripts/ovs-kmod-ctl insert > > After manually: > > # chcon system_u:object_r:openvswitch_load_module_exec_t:s0 > /usr/share/openvswitch/scripts/ovs-kmod-ctl > > I see that in "ps -Z ..." output suddenly the process executing > ovs-kmod-ctl transitions to the correct openvswitch_load_module_t > type: > > unconfined_u:system_r:openvswitch_load_module_t:s0 root 12225 12215 0 > 21:33 ? 00:00:00 /bin/sh /usr/share/openvswitch/scripts/ovs-kmod-ctl > insert > > > Is this a bug or am I missing something? This commit creates the domain, but nothing is labeled to it, until 3/4. After 3/4, the label will exist in the policy (but only get applied when the label operation is invoked, it seems - which was confusing for me). This is also why I needed 4/4 - the selinux labeling operations weren't there. Make sense? >> access to the module loading facility - such access can only happen >> after transitioning through the 'openvswitch_load_module_exec_t' >> transition context. >> >> A future commit will label the appropriate script with extended attributes >> to make use of this new domain. >> >> Signed-off-by: Aaron Conole <aconole@redhat.com> >> --- >> selinux/openvswitch-custom.te.in | 79 +++++++++++++++++++++++++++++++++++++--- >> 1 file changed, 74 insertions(+), 5 deletions(-) >> >> diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in >> index db3cf6d8d..31e8fab15 100644 >> --- a/selinux/openvswitch-custom.te.in >> +++ b/selinux/openvswitch-custom.te.in >> @@ -1,13 +1,31 @@ >> module openvswitch-custom 1.0.1; > Unrelated to your series, but I think we should peg the Open vSwitch > selinux module version to the Open vSwitch version. What do you think? I think it's a good idea. I can fold it in as a new patch in the series. Or if you want to submit it formally, go ahead and include my Acked-by :) >> >> require { >> + role system_r; >> + role object_r; >> + >> type openvswitch_t; >> type openvswitch_rw_t; >> type openvswitch_tmp_t; >> type openvswitch_var_run_t; >> >> + type bin_t; >> type ifconfig_exec_t; >> + type init_t; >> + type init_var_run_t; >> + type insmod_exec_t; >> type hostname_exec_t; >> + type modules_conf_t; >> + type modules_object_t; >> + type passwd_file_t; >> + type plymouth_exec_t; >> + type proc_t; >> + type shell_exec_t; >> + type sssd_t; >> + type sssd_public_t; >> + type sssd_var_lib_t; >> + type sysfs_t; >> + type systemd_unit_file_t; >> type tun_tap_device_t; >> >> @begin_dpdk@ >> @@ -21,18 +39,36 @@ require { >> >> class capability { dac_override audit_write }; >> class chr_file { write getattr read open ioctl }; >> - class dir { write remove_name add_name lock read }; >> - class file { write getattr read open execute execute_no_trans create unlink }; >> + class dir { write remove_name add_name lock read getattr search open }; >> + class fd { use }; >> + class file { write getattr read open execute execute_no_trans create unlink map entrypoint lock ioctl }; >> + class fifo_file { getattr read write append ioctl lock open }; >> + class filesystem getattr; >> + class lnk_file { read open }; >> class netlink_audit_socket { create nlmsg_relay audit_write read write }; >> class netlink_socket { setopt getopt create connect getattr write read }; >> - class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom }; >> + class sock_file { write }; >> + class system module_load; >> + class process { sigchld signull transition noatsecure siginh rlimitinh }; >> + class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom ioctl }; >> >> @begin_dpdk@ >> - class sock_file { read write append getattr open }; >> + class sock_file { read append getattr open }; >> class tun_socket { relabelfrom relabelto create }; >> @end_dpdk@ >> } >> >> +#============= Set up the transition domain ============= >> +type openvswitch_load_module_exec_t; >> +type openvswitch_load_module_t; >> + >> +domain_type(openvswitch_load_module_exec_t); >> +domain_type(openvswitch_load_module_t); >> +role object_r types openvswitch_load_module_exec_t; >> +role system_r types openvswitch_load_module_t; >> +domain_entry_file(openvswitch_load_module_t, openvswitch_load_module_exec_t); >> +domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load_module_t); >> + >> #============= openvswitch_t ============== >> allow openvswitch_t self:capability { dac_override audit_write }; >> allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write }; >> @@ -41,10 +77,11 @@ allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr w >> allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans }; >> allow openvswitch_t ifconfig_exec_t:file { read getattr open execute execute_no_trans }; >> >> -allow openvswitch_t openvswitch_rw_t:dir { write remove_name add_name lock read }; >> +allow openvswitch_t openvswitch_rw_t:dir { write remove_name add_name lock read getattr open search }; > I haven't inspected yet. Are these changes above to openswitch_t type > related to what you are introducing here? Yes. The getattr, open, and search are somehow needed when going through the domain transition (although I admit I'm not sure why). >> allow openvswitch_t openvswitch_rw_t:file { write getattr read open >> execute execute_no_trans create unlink }; >> allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans }; >> allow openvswitch_t openvswitch_tmp_t:unix_stream_socket { write >> getattr read connectto connect setopt getopt sendto accept bind >> recvfrom acceptfrom }; >> +allow openvswitch_t openvswitch_var_run_t:dir { getattr read open search }; >> allow openvswitch_t tun_tap_device_t:chr_file { read write getattr open ioctl }; >> >> @begin_dpdk@ >> @@ -58,3 +95,35 @@ allow openvswitch_t svirt_tmpfs_t:sock_file { >> read write append getattr open }; >> allow openvswitch_t svirt_t:unix_stream_socket { connectto read >> write getattr sendto recvfrom setopt }; >> allow openvswitch_t vfio_device_t:chr_file { read write open ioctl getattr }; >> @end_dpdk@ >> + >> +#============= Transition allows ============= > > Were these simply autogenerated by audit2allow? For the most part, yes. I think there are probably some interface macros that could simplify it, so I will look at those. >> +type_transition openvswitch_t >> openvswitch_load_module_exec_t:process openvswitch_load_module_t; >> +allow openvswitch_t openvswitch_load_module_exec_t:file { execute >> read open getattr }; >> +allow openvswitch_t openvswitch_load_module_t:process transition; >> + >> +allow openvswitch_load_module_t bin_t:file { execute execute_no_trans map }; >> +allow openvswitch_load_module_t init_t:unix_stream_socket { getattr >> ioctl read write }; >> +allow openvswitch_load_module_t init_var_run_t:dir { getattr read open search }; >> +allow openvswitch_load_module_t insmod_exec_t:file { execute >> execute_no_trans getattr map open read }; >> +allow openvswitch_load_module_t modules_conf_t:dir { getattr open read search }; >> +allow openvswitch_load_module_t modules_conf_t:file { getattr open read }; >> +allow openvswitch_load_module_t modules_object_t:file { map getattr open read }; >> +allow openvswitch_load_module_t modules_object_t:dir { getattr open read search }; >> +allow openvswitch_load_module_t openvswitch_load_module_exec_t:file { entrypoint }; >> +allow openvswitch_load_module_t passwd_file_t:file { getattr open read }; >> +allow openvswitch_load_module_t plymouth_exec_t:file { getattr read >> open execute execute_no_trans map }; >> +allow openvswitch_load_module_t proc_t:file { getattr open read }; >> +allow openvswitch_load_module_t self:system module_load; >> +allow openvswitch_load_module_t self:process { siginh noatsecure rlimitinh siginh }; >> +allow openvswitch_load_module_t shell_exec_t:file { map execute read open getattr }; >> +allow openvswitch_load_module_t sssd_public_t:dir { getattr open read search }; >> +allow openvswitch_load_module_t sssd_public_t:file { getattr map open read }; >> +allow openvswitch_load_module_t sssd_t:unix_stream_socket connectto; >> +allow openvswitch_load_module_t sssd_var_lib_t:dir { getattr open read search }; >> +allow openvswitch_load_module_t sssd_var_lib_t:sock_file write; >> +allow openvswitch_load_module_t sysfs_t:dir { getattr open read search }; >> +allow openvswitch_load_module_t sysfs_t:file { open read }; >> +allow openvswitch_load_module_t sysfs_t:lnk_file { read open }; >> +allow openvswitch_load_module_t systemd_unit_file_t:dir getattr; >> + >> +kernel_load_module(openvswitch_load_module_t); >> -- >> 2.14.3 >>
diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in index db3cf6d8d..31e8fab15 100644 --- a/selinux/openvswitch-custom.te.in +++ b/selinux/openvswitch-custom.te.in @@ -1,13 +1,31 @@ module openvswitch-custom 1.0.1; require { + role system_r; + role object_r; + type openvswitch_t; type openvswitch_rw_t; type openvswitch_tmp_t; type openvswitch_var_run_t; + type bin_t; type ifconfig_exec_t; + type init_t; + type init_var_run_t; + type insmod_exec_t; type hostname_exec_t; + type modules_conf_t; + type modules_object_t; + type passwd_file_t; + type plymouth_exec_t; + type proc_t; + type shell_exec_t; + type sssd_t; + type sssd_public_t; + type sssd_var_lib_t; + type sysfs_t; + type systemd_unit_file_t; type tun_tap_device_t; @begin_dpdk@ @@ -21,18 +39,36 @@ require { class capability { dac_override audit_write }; class chr_file { write getattr read open ioctl }; - class dir { write remove_name add_name lock read }; - class file { write getattr read open execute execute_no_trans create unlink }; + class dir { write remove_name add_name lock read getattr search open }; + class fd { use }; + class file { write getattr read open execute execute_no_trans create unlink map entrypoint lock ioctl }; + class fifo_file { getattr read write append ioctl lock open }; + class filesystem getattr; + class lnk_file { read open }; class netlink_audit_socket { create nlmsg_relay audit_write read write }; class netlink_socket { setopt getopt create connect getattr write read }; - class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom }; + class sock_file { write }; + class system module_load; + class process { sigchld signull transition noatsecure siginh rlimitinh }; + class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom ioctl }; @begin_dpdk@ - class sock_file { read write append getattr open }; + class sock_file { read append getattr open }; class tun_socket { relabelfrom relabelto create }; @end_dpdk@ } +#============= Set up the transition domain ============= +type openvswitch_load_module_exec_t; +type openvswitch_load_module_t; + +domain_type(openvswitch_load_module_exec_t); +domain_type(openvswitch_load_module_t); +role object_r types openvswitch_load_module_exec_t; +role system_r types openvswitch_load_module_t; +domain_entry_file(openvswitch_load_module_t, openvswitch_load_module_exec_t); +domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load_module_t); + #============= openvswitch_t ============== allow openvswitch_t self:capability { dac_override audit_write }; allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write }; @@ -41,10 +77,11 @@ allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr w allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans }; allow openvswitch_t ifconfig_exec_t:file { read getattr open execute execute_no_trans }; -allow openvswitch_t openvswitch_rw_t:dir { write remove_name add_name lock read }; +allow openvswitch_t openvswitch_rw_t:dir { write remove_name add_name lock read getattr open search }; allow openvswitch_t openvswitch_rw_t:file { write getattr read open execute execute_no_trans create unlink }; allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans }; allow openvswitch_t openvswitch_tmp_t:unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom }; +allow openvswitch_t openvswitch_var_run_t:dir { getattr read open search }; allow openvswitch_t tun_tap_device_t:chr_file { read write getattr open ioctl }; @begin_dpdk@ @@ -58,3 +95,35 @@ allow openvswitch_t svirt_tmpfs_t:sock_file { read write append getattr open }; allow openvswitch_t svirt_t:unix_stream_socket { connectto read write getattr sendto recvfrom setopt }; allow openvswitch_t vfio_device_t:chr_file { read write open ioctl getattr }; @end_dpdk@ + +#============= Transition allows ============= +type_transition openvswitch_t openvswitch_load_module_exec_t:process openvswitch_load_module_t; +allow openvswitch_t openvswitch_load_module_exec_t:file { execute read open getattr }; +allow openvswitch_t openvswitch_load_module_t:process transition; + +allow openvswitch_load_module_t bin_t:file { execute execute_no_trans map }; +allow openvswitch_load_module_t init_t:unix_stream_socket { getattr ioctl read write }; +allow openvswitch_load_module_t init_var_run_t:dir { getattr read open search }; +allow openvswitch_load_module_t insmod_exec_t:file { execute execute_no_trans getattr map open read }; +allow openvswitch_load_module_t modules_conf_t:dir { getattr open read search }; +allow openvswitch_load_module_t modules_conf_t:file { getattr open read }; +allow openvswitch_load_module_t modules_object_t:file { map getattr open read }; +allow openvswitch_load_module_t modules_object_t:dir { getattr open read search }; +allow openvswitch_load_module_t openvswitch_load_module_exec_t:file { entrypoint }; +allow openvswitch_load_module_t passwd_file_t:file { getattr open read }; +allow openvswitch_load_module_t plymouth_exec_t:file { getattr read open execute execute_no_trans map }; +allow openvswitch_load_module_t proc_t:file { getattr open read }; +allow openvswitch_load_module_t self:system module_load; +allow openvswitch_load_module_t self:process { siginh noatsecure rlimitinh siginh }; +allow openvswitch_load_module_t shell_exec_t:file { map execute read open getattr }; +allow openvswitch_load_module_t sssd_public_t:dir { getattr open read search }; +allow openvswitch_load_module_t sssd_public_t:file { getattr map open read }; +allow openvswitch_load_module_t sssd_t:unix_stream_socket connectto; +allow openvswitch_load_module_t sssd_var_lib_t:dir { getattr open read search }; +allow openvswitch_load_module_t sssd_var_lib_t:sock_file write; +allow openvswitch_load_module_t sysfs_t:dir { getattr open read search }; +allow openvswitch_load_module_t sysfs_t:file { open read }; +allow openvswitch_load_module_t sysfs_t:lnk_file { read open }; +allow openvswitch_load_module_t systemd_unit_file_t:dir getattr; + +kernel_load_module(openvswitch_load_module_t);
Defines a type 'openvswitch_load_module_t' used exclusively for loading modules. This means that the 'openvswitch_t' domain won't require access to the module loading facility - such access can only happen after transitioning through the 'openvswitch_load_module_exec_t' transition context. A future commit will label the appropriate script with extended attributes to make use of this new domain. Signed-off-by: Aaron Conole <aconole@redhat.com> --- selinux/openvswitch-custom.te.in | 79 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 74 insertions(+), 5 deletions(-)