diff mbox series

[ovs-dev,v3,3/6] selinux: allow openvswitch_t net_broadcast and net_raw

Message ID 20180601182849.12984-4-aconole@redhat.com
State Accepted
Headers show
Series selinux: introduce a transition domain for loading kmods | expand

Commit Message

Aaron Conole June 1, 2018, 6:28 p.m. UTC
The ovs-vswitchd daemon requires both CAP_NET_RAW and
CAP_NET_BROADCAST, but these are generally policy prevented by
selinux.  This allows these capabilities to be retained by the
openvswitch_t domain.

example:

  type=AVC msg=audit(1527876508.109:3043): avc:  denied  {
  net_broadcast } for pid=5368 comm="ovs-vswitchd" capability=11
  scontext=system_u:system_r:openvswitch_t:s0
  tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=0

  type=AVC msg=audit(1527876508.109:3043): avc:  denied  {
  net_raw } for pid=5368 comm="ovs-vswitchd" capability=11
  scontext=system_u:system_r:openvswitch_t:s0
  tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=0

Signed-off-by: Aaron Conole <aconole@redhat.com>
---
 selinux/openvswitch-custom.te.in | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Ansis June 18, 2018, 2:38 a.m. UTC | #1
On Fri, 1 Jun 2018 at 11:28, Aaron Conole <aconole@redhat.com> wrote:
>
> The ovs-vswitchd daemon requires both CAP_NET_RAW and
> CAP_NET_BROADCAST, but these are generally policy prevented by
> selinux.  This allows these capabilities to be retained by the
> openvswitch_t domain.
>
> example:
>
>   type=AVC msg=audit(1527876508.109:3043): avc:  denied  {
>   net_broadcast } for pid=5368 comm="ovs-vswitchd" capability=11
>   scontext=system_u:system_r:openvswitch_t:s0
>   tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=0
>
>   type=AVC msg=audit(1527876508.109:3043): avc:  denied  {
>   net_raw } for pid=5368 comm="ovs-vswitchd" capability=11
>   scontext=system_u:system_r:openvswitch_t:s0
>   tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=0
>
> Signed-off-by: Aaron Conole <aconole@redhat.com>
Acked-by: Ansis Atteka <aatteka@ovn.org>
> ---
>  selinux/openvswitch-custom.te.in | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in
> index 556e9d6a3..5bd2e1274 100644
> --- a/selinux/openvswitch-custom.te.in
> +++ b/selinux/openvswitch-custom.te.in
> @@ -37,7 +37,7 @@ require {
>          type vfio_device_t;
>  @end_dpdk@
>
> -        class capability { dac_override audit_write };
> +        class capability { dac_override audit_write net_broadcast net_raw };
>          class chr_file { write getattr read open ioctl };
>          class dir { write remove_name add_name lock read getattr search open };
>          class fd { use };
> @@ -70,7 +70,7 @@ domain_entry_file(openvswitch_load_module_t, openvswitch_load_module_exec_t);
>  domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load_module_t);
>
>  #============= openvswitch_t ==============
> -allow openvswitch_t self:capability { dac_override audit_write };
> +allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw };
>  allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write };
>  allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read };
>
> --
> 2.14.3
>
diff mbox series

Patch

diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in
index 556e9d6a3..5bd2e1274 100644
--- a/selinux/openvswitch-custom.te.in
+++ b/selinux/openvswitch-custom.te.in
@@ -37,7 +37,7 @@  require {
         type vfio_device_t;
 @end_dpdk@
 
-        class capability { dac_override audit_write };
+        class capability { dac_override audit_write net_broadcast net_raw };
         class chr_file { write getattr read open ioctl };
         class dir { write remove_name add_name lock read getattr search open };
         class fd { use };
@@ -70,7 +70,7 @@  domain_entry_file(openvswitch_load_module_t, openvswitch_load_module_exec_t);
 domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load_module_t);
 
 #============= openvswitch_t ==============
-allow openvswitch_t self:capability { dac_override audit_write };
+allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw };
 allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write };
 allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read };