From patchwork Wed Jul 18 14:53:03 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Aaron Conole X-Patchwork-Id: 945744 X-Patchwork-Delegate: ian.stokes@intel.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 41W0WW5K5jz9s3R for ; Thu, 19 Jul 2018 00:53:11 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id BF29AC03; Wed, 18 Jul 2018 14:53:08 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id D8B97BC1 for ; Wed, 18 Jul 2018 14:53:06 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 5FE78466 for ; Wed, 18 Jul 2018 14:53:06 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 3163983221; Wed, 18 Jul 2018 14:53:05 +0000 (UTC) Received: from dhcp-25.97.bos.redhat.com (unknown [10.18.25.61]) by smtp.corp.redhat.com (Postfix) with ESMTP id D456E2026D69; Wed, 18 Jul 2018 14:53:04 +0000 (UTC) From: Aaron Conole To: dev@openvswitch.org Date: Wed, 18 Jul 2018 10:53:03 -0400 Message-Id: <20180718145303.5929-1-aconole@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Wed, 18 Jul 2018 14:53:05 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Wed, 18 Jul 2018 14:53:05 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'aconole@redhat.com' RCPT:'' X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Ansis Atteka Subject: [ovs-dev] [PATCH] selinux: changes to support newer hugetlbfs restrictions X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org Newer selinux base policies now split out 'map' actions, as well as adding more explicit checks for hugetlbfs objects. Where previously these weren't required, recent changes have flagged the allocation of hugepages and subsequent clearing. This means that the hugepage storage information for the DPDK .rte_config, and clearing actions copying from /dev/zero will trigger selinux denials. This commit allows openvswitch to have more permissions for the hugetlbfs allocation and use. Signed-off-by: Aaron Conole Acked-by: Ansis Atteka --- NOTE: I seem to have lost the system with the logs that were used to generate this policy. If needed, I can ask to get access again and recreate the scenarios. selinux/openvswitch-custom.te.in | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in index 4678f2f57..21de1136d 100644 --- a/selinux/openvswitch-custom.te.in +++ b/selinux/openvswitch-custom.te.in @@ -37,13 +37,14 @@ require { type svirt_image_t; type svirt_tmpfs_t; type vfio_device_t; + type zero_device_t; @end_dpdk@ class capability { dac_override audit_write net_broadcast net_raw }; - class chr_file { write getattr read open ioctl }; + class chr_file { write getattr read open ioctl map }; class dir { write remove_name add_name lock read getattr search open }; class fd { use }; - class file { write getattr read open execute execute_no_trans create unlink map entrypoint lock ioctl }; + class file { map write getattr read open execute execute_no_trans create unlink map entrypoint lock ioctl }; class fifo_file { getattr read write append ioctl lock open }; class filesystem getattr; class lnk_file { read open }; @@ -83,7 +84,8 @@ allow openvswitch_t openvswitch_rw_t:dir { write remove_name add_name lock read allow openvswitch_t openvswitch_rw_t:file { write getattr read open execute execute_no_trans create unlink }; allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans }; allow openvswitch_t openvswitch_tmp_t:unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom }; -allow openvswitch_t openvswitch_var_run_t:dir { getattr read open search }; +allow openvswitch_t openvswitch_var_run_t:dir { getattr read open search write remove_name add_name lock }; +allow openvswitch_t openvswitch_var_run_t:file { map open read write getattr create unlink }; allow openvswitch_t tun_tap_device_t:chr_file { read write getattr open ioctl }; @begin_dpdk@ @@ -96,6 +98,7 @@ allow openvswitch_t svirt_tmpfs_t:file { read write }; allow openvswitch_t svirt_tmpfs_t:sock_file { read write append getattr open }; allow openvswitch_t svirt_t:unix_stream_socket { connectto read write getattr sendto recvfrom setopt }; allow openvswitch_t vfio_device_t:chr_file { read write open ioctl getattr }; +allow openvswitch_t zero_device_t:chr_file { read open getattr map }; @end_dpdk@ #============= Transition allows =============