[ovs-dev,2/4] selinux: create a transition type for module loading
diff mbox series

Message ID 20180320210518.9982-3-aconole@redhat.com
State Changes Requested
Headers show
Series
  • selinux: introduce a transition domain for loading kmods
Related show

Commit Message

Aaron Conole March 20, 2018, 9:05 p.m. UTC
Defines a type 'openvswitch_load_module_t' used exclusively for loading
modules.  This means that the 'openvswitch_t' domain won't require
access to the module loading facility - such access can only happen
after transitioning through the 'openvswitch_load_module_exec_t'
transition context.

A future commit will label the appropriate script with extended attributes
to make use of this new domain.

Signed-off-by: Aaron Conole <aconole@redhat.com>
---
 selinux/openvswitch-custom.te.in | 79 +++++++++++++++++++++++++++++++++++++---
 1 file changed, 74 insertions(+), 5 deletions(-)

Comments

Ansis Atteka March 26, 2018, 9:45 p.m. UTC | #1
On 20 March 2018 at 14:05, Aaron Conole <aconole@redhat.com> wrote:
> Defines a type 'openvswitch_load_module_t' used exclusively for loading
> modules.  This means that the 'openvswitch_t' domain won't require
> modules

Are you sure the bootstrapping to intended openvswitch_load_module_t
happens properly?

In my case it does not appear to happen correctly, because the
ovs-kmod-ctl does not have the right SElinux type:

[vagrant@centosbuilder ~]$ ls -Z /usr/share/openvswitch/scripts/ovs-kmod-ctl
-rwxr-xr-x. root root system_u:object_r:usr_t:s0
/usr/share/openvswitch/scripts/ovs-kmod-ctl

and then in "ps -Z" I see:

unconfined_u:system_r:openvswitch_t:s0 root 32013 31995  0 21:37 ?
00:00:00 /bin/sh /usr/share/openvswitch/scripts/ovs-kmod-ctl insert



After manually:

# chcon system_u:object_r:openvswitch_load_module_exec_t:s0
/usr/share/openvswitch/scripts/ovs-kmod-ctl

I see that in "ps -Z ..." output suddenly the process executing
ovs-kmod-ctl transitions to the correct openvswitch_load_module_t
type:

unconfined_u:system_r:openvswitch_load_module_t:s0 root 12225 12215  0
21:33 ? 00:00:00 /bin/sh /usr/share/openvswitch/scripts/ovs-kmod-ctl
insert


Is this a bug or am I missing something?

> access to the module loading facility - such access can only happen
> after transitioning through the 'openvswitch_load_module_exec_t'
> transition context.
>
> A future commit will label the appropriate script with extended attributes
> to make use of this new domain.
>
> Signed-off-by: Aaron Conole <aconole@redhat.com>
> ---
>  selinux/openvswitch-custom.te.in | 79 +++++++++++++++++++++++++++++++++++++---
>  1 file changed, 74 insertions(+), 5 deletions(-)
>
> diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in
> index db3cf6d8d..31e8fab15 100644
> --- a/selinux/openvswitch-custom.te.in
> +++ b/selinux/openvswitch-custom.te.in
> @@ -1,13 +1,31 @@
>  module openvswitch-custom 1.0.1;
Unrelated to your series, but I think we should peg the Open vSwitch
selinux module version to the Open vSwitch version. What do you think?

>
>  require {
> +        role system_r;
> +        role object_r;
> +
>          type openvswitch_t;
>          type openvswitch_rw_t;
>          type openvswitch_tmp_t;
>          type openvswitch_var_run_t;
>
> +        type bin_t;
>          type ifconfig_exec_t;
> +        type init_t;
> +        type init_var_run_t;
> +        type insmod_exec_t;
>          type hostname_exec_t;
> +        type modules_conf_t;
> +        type modules_object_t;
> +        type passwd_file_t;
> +        type plymouth_exec_t;
> +        type proc_t;
> +        type shell_exec_t;
> +        type sssd_t;
> +        type sssd_public_t;
> +        type sssd_var_lib_t;
> +        type sysfs_t;
> +        type systemd_unit_file_t;
>          type tun_tap_device_t;
>
>  @begin_dpdk@
> @@ -21,18 +39,36 @@ require {
>
>          class capability { dac_override audit_write };
>          class chr_file { write getattr read open ioctl };
> -        class dir { write remove_name add_name lock read };
> -        class file { write getattr read open execute execute_no_trans create unlink };
> +        class dir { write remove_name add_name lock read getattr search open };
> +        class fd { use };
> +        class file { write getattr read open execute execute_no_trans create unlink map entrypoint lock ioctl };
> +        class fifo_file { getattr read write append ioctl lock open };
> +        class filesystem getattr;
> +        class lnk_file { read open };
>          class netlink_audit_socket { create nlmsg_relay audit_write read write };
>          class netlink_socket { setopt getopt create connect getattr write read };
> -        class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom };
> +        class sock_file { write };
> +        class system module_load;
> +        class process { sigchld signull transition noatsecure siginh rlimitinh };
> +        class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom ioctl };
>
>  @begin_dpdk@
> -        class sock_file { read write append getattr open };
> +        class sock_file { read append getattr open };
>          class tun_socket { relabelfrom relabelto create };
>  @end_dpdk@
>  }
>
> +#============= Set up the transition domain =============
> +type openvswitch_load_module_exec_t;
> +type openvswitch_load_module_t;
> +
> +domain_type(openvswitch_load_module_exec_t);
> +domain_type(openvswitch_load_module_t);
> +role object_r types openvswitch_load_module_exec_t;
> +role system_r types openvswitch_load_module_t;
> +domain_entry_file(openvswitch_load_module_t, openvswitch_load_module_exec_t);
> +domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load_module_t);
> +
>  #============= openvswitch_t ==============
>  allow openvswitch_t self:capability { dac_override audit_write };
>  allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write };
> @@ -41,10 +77,11 @@ allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr w
>  allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans };
>  allow openvswitch_t ifconfig_exec_t:file { read getattr open execute execute_no_trans };
>
> -allow openvswitch_t openvswitch_rw_t:dir { write remove_name add_name lock read };
> +allow openvswitch_t openvswitch_rw_t:dir { write remove_name add_name lock read getattr open search };
I haven't inspected yet. Are these changes above to openswitch_t type
related to what you are introducing here?

>  allow openvswitch_t openvswitch_rw_t:file { write getattr read open execute execute_no_trans create unlink };
>  allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans };
>  allow openvswitch_t openvswitch_tmp_t:unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom };
> +allow openvswitch_t openvswitch_var_run_t:dir { getattr read open search };
>  allow openvswitch_t tun_tap_device_t:chr_file { read write getattr open ioctl };
>
>  @begin_dpdk@
> @@ -58,3 +95,35 @@ allow openvswitch_t svirt_tmpfs_t:sock_file { read write append getattr open };
>  allow openvswitch_t svirt_t:unix_stream_socket { connectto read write getattr sendto recvfrom setopt };
>  allow openvswitch_t vfio_device_t:chr_file { read write open ioctl getattr };
>  @end_dpdk@
> +
> +#============= Transition allows =============

Were these simply autogenerated by audit2allow?
> +type_transition openvswitch_t openvswitch_load_module_exec_t:process openvswitch_load_module_t;
> +allow openvswitch_t openvswitch_load_module_exec_t:file { execute read open getattr };
> +allow openvswitch_t openvswitch_load_module_t:process transition;
> +
> +allow openvswitch_load_module_t bin_t:file { execute execute_no_trans map };
> +allow openvswitch_load_module_t init_t:unix_stream_socket { getattr ioctl read write };
> +allow openvswitch_load_module_t init_var_run_t:dir { getattr read open search };
> +allow openvswitch_load_module_t insmod_exec_t:file { execute execute_no_trans getattr map open read };
> +allow openvswitch_load_module_t modules_conf_t:dir { getattr open read search };
> +allow openvswitch_load_module_t modules_conf_t:file { getattr open read };
> +allow openvswitch_load_module_t modules_object_t:file { map getattr open read };
> +allow openvswitch_load_module_t modules_object_t:dir { getattr open read search };
> +allow openvswitch_load_module_t openvswitch_load_module_exec_t:file { entrypoint };
> +allow openvswitch_load_module_t passwd_file_t:file { getattr open read };
> +allow openvswitch_load_module_t plymouth_exec_t:file { getattr read open execute execute_no_trans map };
> +allow openvswitch_load_module_t proc_t:file { getattr open read };
> +allow openvswitch_load_module_t self:system module_load;
> +allow openvswitch_load_module_t self:process { siginh noatsecure rlimitinh siginh };
> +allow openvswitch_load_module_t shell_exec_t:file { map execute read open getattr };
> +allow openvswitch_load_module_t sssd_public_t:dir { getattr open read search };
> +allow openvswitch_load_module_t sssd_public_t:file { getattr map open read };
> +allow openvswitch_load_module_t sssd_t:unix_stream_socket connectto;
> +allow openvswitch_load_module_t sssd_var_lib_t:dir { getattr open read search };
> +allow openvswitch_load_module_t sssd_var_lib_t:sock_file write;
> +allow openvswitch_load_module_t sysfs_t:dir { getattr open read search };
> +allow openvswitch_load_module_t sysfs_t:file { open read };
> +allow openvswitch_load_module_t sysfs_t:lnk_file { read open };
> +allow openvswitch_load_module_t systemd_unit_file_t:dir getattr;
> +
> +kernel_load_module(openvswitch_load_module_t);
> --
> 2.14.3
>
Aaron Conole March 27, 2018, 1:51 p.m. UTC | #2
Ansis Atteka <ansisatteka@gmail.com> writes:

> On 20 March 2018 at 14:05, Aaron Conole <aconole@redhat.com> wrote:
>> Defines a type 'openvswitch_load_module_t' used exclusively for loading
>> modules.  This means that the 'openvswitch_t' domain won't require
>> modules
>
> Are you sure the bootstrapping to intended openvswitch_load_module_t
> happens properly?

Are you asking whether the domain works?  It did for me.

> In my case it does not appear to happen correctly, because the
> ovs-kmod-ctl does not have the right SElinux type:
>
> [vagrant@centosbuilder ~]$ ls -Z /usr/share/openvswitch/scripts/ovs-kmod-ctl
> -rwxr-xr-x. root root system_u:object_r:usr_t:s0
> /usr/share/openvswitch/scripts/ovs-kmod-ctl
>
> and then in "ps -Z" I see:
>
> unconfined_u:system_r:openvswitch_t:s0 root 32013 31995  0 21:37 ?
> 00:00:00 /bin/sh /usr/share/openvswitch/scripts/ovs-kmod-ctl insert
>
> After manually:
>
> # chcon system_u:object_r:openvswitch_load_module_exec_t:s0
> /usr/share/openvswitch/scripts/ovs-kmod-ctl
>
> I see that in "ps -Z ..." output suddenly the process executing
> ovs-kmod-ctl transitions to the correct openvswitch_load_module_t
> type:
>
> unconfined_u:system_r:openvswitch_load_module_t:s0 root 12225 12215  0
> 21:33 ? 00:00:00 /bin/sh /usr/share/openvswitch/scripts/ovs-kmod-ctl
> insert
>
>
> Is this a bug or am I missing something?

This commit creates the domain, but nothing is labeled to it, until
3/4.  After 3/4, the label will exist in the policy (but only get
applied when the label operation is invoked, it seems - which was
confusing for me).  This is also why I needed 4/4 - the selinux labeling
operations weren't there.

Make sense?

>> access to the module loading facility - such access can only happen
>> after transitioning through the 'openvswitch_load_module_exec_t'
>> transition context.
>>
>> A future commit will label the appropriate script with extended attributes
>> to make use of this new domain.
>>
>> Signed-off-by: Aaron Conole <aconole@redhat.com>
>> ---
>>  selinux/openvswitch-custom.te.in | 79 +++++++++++++++++++++++++++++++++++++---
>>  1 file changed, 74 insertions(+), 5 deletions(-)
>>
>> diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in
>> index db3cf6d8d..31e8fab15 100644
>> --- a/selinux/openvswitch-custom.te.in
>> +++ b/selinux/openvswitch-custom.te.in
>> @@ -1,13 +1,31 @@
>>  module openvswitch-custom 1.0.1;
> Unrelated to your series, but I think we should peg the Open vSwitch
> selinux module version to the Open vSwitch version. What do you think?

I think it's a good idea.  I can fold it in as a new patch in the
series.  Or if you want to submit it formally, go ahead and include my
Acked-by :)

>>
>>  require {
>> +        role system_r;
>> +        role object_r;
>> +
>>          type openvswitch_t;
>>          type openvswitch_rw_t;
>>          type openvswitch_tmp_t;
>>          type openvswitch_var_run_t;
>>
>> +        type bin_t;
>>          type ifconfig_exec_t;
>> +        type init_t;
>> +        type init_var_run_t;
>> +        type insmod_exec_t;
>>          type hostname_exec_t;
>> +        type modules_conf_t;
>> +        type modules_object_t;
>> +        type passwd_file_t;
>> +        type plymouth_exec_t;
>> +        type proc_t;
>> +        type shell_exec_t;
>> +        type sssd_t;
>> +        type sssd_public_t;
>> +        type sssd_var_lib_t;
>> +        type sysfs_t;
>> +        type systemd_unit_file_t;
>>          type tun_tap_device_t;
>>
>>  @begin_dpdk@
>> @@ -21,18 +39,36 @@ require {
>>
>>          class capability { dac_override audit_write };
>>          class chr_file { write getattr read open ioctl };
>> -        class dir { write remove_name add_name lock read };
>> -        class file { write getattr read open execute execute_no_trans create unlink };
>> +        class dir { write remove_name add_name lock read getattr search open };
>> +        class fd { use };
>> +        class file { write getattr read open execute execute_no_trans create unlink map entrypoint lock ioctl };
>> +        class fifo_file { getattr read write append ioctl lock open };
>> +        class filesystem getattr;
>> +        class lnk_file { read open };
>>          class netlink_audit_socket { create nlmsg_relay audit_write read write };
>>          class netlink_socket { setopt getopt create connect getattr write read };
>> -        class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom };
>> +        class sock_file { write };
>> +        class system module_load;
>> +        class process { sigchld signull transition noatsecure siginh rlimitinh };
>> +        class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom ioctl };
>>
>>  @begin_dpdk@
>> -        class sock_file { read write append getattr open };
>> +        class sock_file { read append getattr open };
>>          class tun_socket { relabelfrom relabelto create };
>>  @end_dpdk@
>>  }
>>
>> +#============= Set up the transition domain =============
>> +type openvswitch_load_module_exec_t;
>> +type openvswitch_load_module_t;
>> +
>> +domain_type(openvswitch_load_module_exec_t);
>> +domain_type(openvswitch_load_module_t);
>> +role object_r types openvswitch_load_module_exec_t;
>> +role system_r types openvswitch_load_module_t;
>> +domain_entry_file(openvswitch_load_module_t, openvswitch_load_module_exec_t);
>> +domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load_module_t);
>> +
>>  #============= openvswitch_t ==============
>>  allow openvswitch_t self:capability { dac_override audit_write };
>>  allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write };
>> @@ -41,10 +77,11 @@ allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr w
>>  allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans };
>>  allow openvswitch_t ifconfig_exec_t:file { read getattr open execute execute_no_trans };
>>
>> -allow openvswitch_t openvswitch_rw_t:dir { write remove_name add_name lock read };
>> +allow openvswitch_t openvswitch_rw_t:dir { write remove_name add_name lock read getattr open search };
> I haven't inspected yet. Are these changes above to openswitch_t type
> related to what you are introducing here?

Yes.  The getattr, open, and search are somehow needed when going
through the domain transition (although I admit I'm not sure why).

>>  allow openvswitch_t openvswitch_rw_t:file { write getattr read open
>> execute execute_no_trans create unlink };
>>  allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans };
>>  allow openvswitch_t openvswitch_tmp_t:unix_stream_socket { write
>> getattr read connectto connect setopt getopt sendto accept bind
>> recvfrom acceptfrom };
>> +allow openvswitch_t openvswitch_var_run_t:dir { getattr read open search };
>>  allow openvswitch_t tun_tap_device_t:chr_file { read write getattr open ioctl };
>>
>>  @begin_dpdk@
>> @@ -58,3 +95,35 @@ allow openvswitch_t svirt_tmpfs_t:sock_file {
>> read write append getattr open };
>>  allow openvswitch_t svirt_t:unix_stream_socket { connectto read
>> write getattr sendto recvfrom setopt };
>>  allow openvswitch_t vfio_device_t:chr_file { read write open ioctl getattr };
>>  @end_dpdk@
>> +
>> +#============= Transition allows =============
>
> Were these simply autogenerated by audit2allow?

For the most part, yes.  I think there are probably some interface
macros that could simplify it, so I will look at those.

>> +type_transition openvswitch_t
>> openvswitch_load_module_exec_t:process openvswitch_load_module_t;
>> +allow openvswitch_t openvswitch_load_module_exec_t:file { execute
>> read open getattr };
>> +allow openvswitch_t openvswitch_load_module_t:process transition;
>> +
>> +allow openvswitch_load_module_t bin_t:file { execute execute_no_trans map };
>> +allow openvswitch_load_module_t init_t:unix_stream_socket { getattr
>> ioctl read write };
>> +allow openvswitch_load_module_t init_var_run_t:dir { getattr read open search };
>> +allow openvswitch_load_module_t insmod_exec_t:file { execute
>> execute_no_trans getattr map open read };
>> +allow openvswitch_load_module_t modules_conf_t:dir { getattr open read search };
>> +allow openvswitch_load_module_t modules_conf_t:file { getattr open read };
>> +allow openvswitch_load_module_t modules_object_t:file { map getattr open read };
>> +allow openvswitch_load_module_t modules_object_t:dir { getattr open read search };
>> +allow openvswitch_load_module_t openvswitch_load_module_exec_t:file { entrypoint };
>> +allow openvswitch_load_module_t passwd_file_t:file { getattr open read };
>> +allow openvswitch_load_module_t plymouth_exec_t:file { getattr read
>> open execute execute_no_trans map };
>> +allow openvswitch_load_module_t proc_t:file { getattr open read };
>> +allow openvswitch_load_module_t self:system module_load;
>> +allow openvswitch_load_module_t self:process { siginh noatsecure rlimitinh siginh };
>> +allow openvswitch_load_module_t shell_exec_t:file { map execute read open getattr };
>> +allow openvswitch_load_module_t sssd_public_t:dir { getattr open read search };
>> +allow openvswitch_load_module_t sssd_public_t:file { getattr map open read };
>> +allow openvswitch_load_module_t sssd_t:unix_stream_socket connectto;
>> +allow openvswitch_load_module_t sssd_var_lib_t:dir { getattr open read search };
>> +allow openvswitch_load_module_t sssd_var_lib_t:sock_file write;
>> +allow openvswitch_load_module_t sysfs_t:dir { getattr open read search };
>> +allow openvswitch_load_module_t sysfs_t:file { open read };
>> +allow openvswitch_load_module_t sysfs_t:lnk_file { read open };
>> +allow openvswitch_load_module_t systemd_unit_file_t:dir getattr;
>> +
>> +kernel_load_module(openvswitch_load_module_t);
>> --
>> 2.14.3
>>

Patch
diff mbox series

diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in
index db3cf6d8d..31e8fab15 100644
--- a/selinux/openvswitch-custom.te.in
+++ b/selinux/openvswitch-custom.te.in
@@ -1,13 +1,31 @@ 
 module openvswitch-custom 1.0.1;
 
 require {
+        role system_r;
+        role object_r;
+
         type openvswitch_t;
         type openvswitch_rw_t;
         type openvswitch_tmp_t;
         type openvswitch_var_run_t;
 
+        type bin_t;
         type ifconfig_exec_t;
+        type init_t;
+        type init_var_run_t;
+        type insmod_exec_t;
         type hostname_exec_t;
+        type modules_conf_t;
+        type modules_object_t;
+        type passwd_file_t;
+        type plymouth_exec_t;
+        type proc_t;
+        type shell_exec_t;
+        type sssd_t;
+        type sssd_public_t;
+        type sssd_var_lib_t;
+        type sysfs_t;
+        type systemd_unit_file_t;
         type tun_tap_device_t;
 
 @begin_dpdk@
@@ -21,18 +39,36 @@  require {
 
         class capability { dac_override audit_write };
         class chr_file { write getattr read open ioctl };
-        class dir { write remove_name add_name lock read };
-        class file { write getattr read open execute execute_no_trans create unlink };
+        class dir { write remove_name add_name lock read getattr search open };
+        class fd { use };
+        class file { write getattr read open execute execute_no_trans create unlink map entrypoint lock ioctl };
+        class fifo_file { getattr read write append ioctl lock open };
+        class filesystem getattr;
+        class lnk_file { read open };
         class netlink_audit_socket { create nlmsg_relay audit_write read write };
         class netlink_socket { setopt getopt create connect getattr write read };
-        class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom };
+        class sock_file { write };
+        class system module_load;
+        class process { sigchld signull transition noatsecure siginh rlimitinh };
+        class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom ioctl };
 
 @begin_dpdk@
-        class sock_file { read write append getattr open };
+        class sock_file { read append getattr open };
         class tun_socket { relabelfrom relabelto create };
 @end_dpdk@
 }
 
+#============= Set up the transition domain =============
+type openvswitch_load_module_exec_t;
+type openvswitch_load_module_t;
+
+domain_type(openvswitch_load_module_exec_t);
+domain_type(openvswitch_load_module_t);
+role object_r types openvswitch_load_module_exec_t;
+role system_r types openvswitch_load_module_t;
+domain_entry_file(openvswitch_load_module_t, openvswitch_load_module_exec_t);
+domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load_module_t);
+
 #============= openvswitch_t ==============
 allow openvswitch_t self:capability { dac_override audit_write };
 allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write };
@@ -41,10 +77,11 @@  allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr w
 allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans };
 allow openvswitch_t ifconfig_exec_t:file { read getattr open execute execute_no_trans };
 
-allow openvswitch_t openvswitch_rw_t:dir { write remove_name add_name lock read };
+allow openvswitch_t openvswitch_rw_t:dir { write remove_name add_name lock read getattr open search };
 allow openvswitch_t openvswitch_rw_t:file { write getattr read open execute execute_no_trans create unlink };
 allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans };
 allow openvswitch_t openvswitch_tmp_t:unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom };
+allow openvswitch_t openvswitch_var_run_t:dir { getattr read open search };
 allow openvswitch_t tun_tap_device_t:chr_file { read write getattr open ioctl };
 
 @begin_dpdk@
@@ -58,3 +95,35 @@  allow openvswitch_t svirt_tmpfs_t:sock_file { read write append getattr open };
 allow openvswitch_t svirt_t:unix_stream_socket { connectto read write getattr sendto recvfrom setopt };
 allow openvswitch_t vfio_device_t:chr_file { read write open ioctl getattr };
 @end_dpdk@
+
+#============= Transition allows =============
+type_transition openvswitch_t openvswitch_load_module_exec_t:process openvswitch_load_module_t;
+allow openvswitch_t openvswitch_load_module_exec_t:file { execute read open getattr };
+allow openvswitch_t openvswitch_load_module_t:process transition;
+
+allow openvswitch_load_module_t bin_t:file { execute execute_no_trans map };
+allow openvswitch_load_module_t init_t:unix_stream_socket { getattr ioctl read write };
+allow openvswitch_load_module_t init_var_run_t:dir { getattr read open search };
+allow openvswitch_load_module_t insmod_exec_t:file { execute execute_no_trans getattr map open read };
+allow openvswitch_load_module_t modules_conf_t:dir { getattr open read search };
+allow openvswitch_load_module_t modules_conf_t:file { getattr open read };
+allow openvswitch_load_module_t modules_object_t:file { map getattr open read };
+allow openvswitch_load_module_t modules_object_t:dir { getattr open read search };
+allow openvswitch_load_module_t openvswitch_load_module_exec_t:file { entrypoint };
+allow openvswitch_load_module_t passwd_file_t:file { getattr open read };
+allow openvswitch_load_module_t plymouth_exec_t:file { getattr read open execute execute_no_trans map };
+allow openvswitch_load_module_t proc_t:file { getattr open read };
+allow openvswitch_load_module_t self:system module_load;
+allow openvswitch_load_module_t self:process { siginh noatsecure rlimitinh siginh };
+allow openvswitch_load_module_t shell_exec_t:file { map execute read open getattr };
+allow openvswitch_load_module_t sssd_public_t:dir { getattr open read search };
+allow openvswitch_load_module_t sssd_public_t:file { getattr map open read };
+allow openvswitch_load_module_t sssd_t:unix_stream_socket connectto;
+allow openvswitch_load_module_t sssd_var_lib_t:dir { getattr open read search };
+allow openvswitch_load_module_t sssd_var_lib_t:sock_file write;
+allow openvswitch_load_module_t sysfs_t:dir { getattr open read search };
+allow openvswitch_load_module_t sysfs_t:file { open read };
+allow openvswitch_load_module_t sysfs_t:lnk_file { read open };
+allow openvswitch_load_module_t systemd_unit_file_t:dir getattr;
+
+kernel_load_module(openvswitch_load_module_t);