[ovs-dev] selinux: update for netlink socket types
diff mbox series

Message ID 20190417200725.7177-1-aconole@redhat.com
State Accepted
Headers show
Series
  • [ovs-dev] selinux: update for netlink socket types
Related show

Commit Message

Aaron Conole April 17, 2019, 8:07 p.m. UTC
These are used for interfacing with conntrack, as well as by some
DPDK PMDs

Signed-off-by: Aaron Conole <aconole@redhat.com>
---
 selinux/openvswitch-custom.te.in | 8 ++++++++
 1 file changed, 8 insertions(+)

Comments

Ansis Atteka April 18, 2019, 7:39 p.m. UTC | #1
On Wed, 17 Apr 2019 at 13:07, Aaron Conole <aconole@redhat.com> wrote:
>
> These are used for interfacing with conntrack, as well as by some
> DPDK PMDs

Did you get these with audit2allow? If so, then looks good to me.
>
> Signed-off-by: Aaron Conole <aconole@redhat.com>
> ---
>  selinux/openvswitch-custom.te.in | 8 ++++++++
>  1 file changed, 8 insertions(+)
>
> diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in
> index 26495828a..2adaf231f 100644
> --- a/selinux/openvswitch-custom.te.in
> +++ b/selinux/openvswitch-custom.te.in
> @@ -49,6 +49,10 @@ require {
>          class filesystem getattr;
>          class lnk_file { read open };
>          class netlink_audit_socket { create nlmsg_relay audit_write read write };
> +        class netlink_netfilter_socket { create nlmsg_relay audit_write read write };
> +@begin_dpdk@
> +        class netlink_rdma_socket { setopt bind create };
> +@end_dpdk@
>          class netlink_socket { setopt getopt create connect getattr write read };
>          class sock_file { write };
>          class system { module_load module_request };
> @@ -75,6 +79,10 @@ domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load
>  #============= openvswitch_t ==============
>  allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw };
>  allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write };
> +allow openvswitch_t self:netlink_netfilter_socket { create nlmsg_relay audit_write read write };
> +@begin_dpdk@
> +allow openvswitch_t self:netlink_rdma_socket { setopt bind create };
> +@end_dpdk@
>  allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read };
>
>  allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans };
> --
> 2.19.1
>
Aaron Conole April 18, 2019, 9 p.m. UTC | #2
Ansis Atteka <ansisatteka@gmail.com> writes:

> On Wed, 17 Apr 2019 at 13:07, Aaron Conole <aconole@redhat.com> wrote:
>>
>> These are used for interfacing with conntrack, as well as by some
>> DPDK PMDs
>
> Did you get these with audit2allow? If so, then looks good to me.

Yes.  Sorry, I should have put the AVCs and the resulting permissions
stuff in the commit message.  I'll do that next time.

>> Signed-off-by: Aaron Conole <aconole@redhat.com>
>> ---
>>  selinux/openvswitch-custom.te.in | 8 ++++++++
>>  1 file changed, 8 insertions(+)
>>
>> diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in
>> index 26495828a..2adaf231f 100644
>> --- a/selinux/openvswitch-custom.te.in
>> +++ b/selinux/openvswitch-custom.te.in
>> @@ -49,6 +49,10 @@ require {
>>          class filesystem getattr;
>>          class lnk_file { read open };
>>          class netlink_audit_socket { create nlmsg_relay audit_write read write };
>> +        class netlink_netfilter_socket { create nlmsg_relay audit_write read write };
>> +@begin_dpdk@
>> +        class netlink_rdma_socket { setopt bind create };
>> +@end_dpdk@
>>          class netlink_socket { setopt getopt create connect getattr write read };
>>          class sock_file { write };
>>          class system { module_load module_request };
>> @@ -75,6 +79,10 @@ domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load
>>  #============= openvswitch_t ==============
>>  allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw };
>>  allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write };
>> +allow openvswitch_t self:netlink_netfilter_socket { create nlmsg_relay audit_write read write };
>> +@begin_dpdk@
>> +allow openvswitch_t self:netlink_rdma_socket { setopt bind create };
>> +@end_dpdk@
>>  allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read };
>>
>>  allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans };
>> --
>> 2.19.1
>>
Ansis Atteka April 21, 2019, 9:10 p.m. UTC | #3
On Thu, 18 Apr 2019 at 14:00, Aaron Conole <aconole@redhat.com> wrote:
>
> Ansis Atteka <ansisatteka@gmail.com> writes:
>
> > On Wed, 17 Apr 2019 at 13:07, Aaron Conole <aconole@redhat.com> wrote:
> >>
> >> These are used for interfacing with conntrack, as well as by some
> >> DPDK PMDs
> >
> > Did you get these with audit2allow? If so, then looks good to me.
>
> Yes.  Sorry, I should have put the AVCs and the resulting permissions
> stuff in the commit message.  I'll do that next time.



Acked-by: Ansis Atteka <aatteka@ovn.org>

Pushed it to master branch.

>
> >> Signed-off-by: Aaron Conole <aconole@redhat.com>
> >> ---
> >>  selinux/openvswitch-custom.te.in | 8 ++++++++
> >>  1 file changed, 8 insertions(+)
> >>
> >> diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in
> >> index 26495828a..2adaf231f 100644
> >> --- a/selinux/openvswitch-custom.te.in
> >> +++ b/selinux/openvswitch-custom.te.in
> >> @@ -49,6 +49,10 @@ require {
> >>          class filesystem getattr;
> >>          class lnk_file { read open };
> >>          class netlink_audit_socket { create nlmsg_relay audit_write read write };
> >> +        class netlink_netfilter_socket { create nlmsg_relay audit_write read write };
> >> +@begin_dpdk@
> >> +        class netlink_rdma_socket { setopt bind create };
> >> +@end_dpdk@
> >>          class netlink_socket { setopt getopt create connect getattr write read };
> >>          class sock_file { write };
> >>          class system { module_load module_request };
> >> @@ -75,6 +79,10 @@ domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load
> >>  #============= openvswitch_t ==============
> >>  allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw };
> >>  allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write };
> >> +allow openvswitch_t self:netlink_netfilter_socket { create nlmsg_relay audit_write read write };
> >> +@begin_dpdk@
> >> +allow openvswitch_t self:netlink_rdma_socket { setopt bind create };
> >> +@end_dpdk@
> >>  allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read };
> >>
> >>  allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans };
> >> --
> >> 2.19.1
> >>
Aaron Conole April 29, 2019, 12:24 p.m. UTC | #4
Ansis Atteka <ansisatteka@gmail.com> writes:

> On Thu, 18 Apr 2019 at 14:00, Aaron Conole <aconole@redhat.com> wrote:
>>
>> Ansis Atteka <ansisatteka@gmail.com> writes:
>>
>> > On Wed, 17 Apr 2019 at 13:07, Aaron Conole <aconole@redhat.com> wrote:
>> >>
>> >> These are used for interfacing with conntrack, as well as by some
>> >> DPDK PMDs
>> >
>> > Did you get these with audit2allow? If so, then looks good to me.
>>
>> Yes.  Sorry, I should have put the AVCs and the resulting permissions
>> stuff in the commit message.  I'll do that next time.
>
>
>
> Acked-by: Ansis Atteka <aatteka@ovn.org>
>
> Pushed it to master branch.

Thanks, Ansis!

>>
>> >> Signed-off-by: Aaron Conole <aconole@redhat.com>
>> >> ---
>> >>  selinux/openvswitch-custom.te.in | 8 ++++++++
>> >>  1 file changed, 8 insertions(+)
>> >>
>> >> diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in
>> >> index 26495828a..2adaf231f 100644
>> >> --- a/selinux/openvswitch-custom.te.in
>> >> +++ b/selinux/openvswitch-custom.te.in
>> >> @@ -49,6 +49,10 @@ require {
>> >>          class filesystem getattr;
>> >>          class lnk_file { read open };
>> >>          class netlink_audit_socket { create nlmsg_relay audit_write read write };
>> >> +        class netlink_netfilter_socket { create nlmsg_relay audit_write read write };
>> >> +@begin_dpdk@
>> >> +        class netlink_rdma_socket { setopt bind create };
>> >> +@end_dpdk@
>> >>          class netlink_socket { setopt getopt create connect getattr write read };
>> >>          class sock_file { write };
>> >>          class system { module_load module_request };
>> >> @@ -75,6 +79,10 @@ domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load
>> >>  #============= openvswitch_t ==============
>> >>  allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw };
>> >>  allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write };
>> >> +allow openvswitch_t self:netlink_netfilter_socket { create nlmsg_relay audit_write read write };
>> >> +@begin_dpdk@
>> >> +allow openvswitch_t self:netlink_rdma_socket { setopt bind create };
>> >> +@end_dpdk@
>> >>  allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read };
>> >>
>> >>  allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans };
>> >> --
>> >> 2.19.1
>> >>

Patch
diff mbox series

diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in
index 26495828a..2adaf231f 100644
--- a/selinux/openvswitch-custom.te.in
+++ b/selinux/openvswitch-custom.te.in
@@ -49,6 +49,10 @@  require {
         class filesystem getattr;
         class lnk_file { read open };
         class netlink_audit_socket { create nlmsg_relay audit_write read write };
+        class netlink_netfilter_socket { create nlmsg_relay audit_write read write };
+@begin_dpdk@
+        class netlink_rdma_socket { setopt bind create };
+@end_dpdk@
         class netlink_socket { setopt getopt create connect getattr write read };
         class sock_file { write };
         class system { module_load module_request };
@@ -75,6 +79,10 @@  domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load
 #============= openvswitch_t ==============
 allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw };
 allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write };
+allow openvswitch_t self:netlink_netfilter_socket { create nlmsg_relay audit_write read write };
+@begin_dpdk@
+allow openvswitch_t self:netlink_rdma_socket { setopt bind create };
+@end_dpdk@
 allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read };
 
 allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans };