Message ID | 20190417200725.7177-1-aconole@redhat.com |
---|---|
State | Accepted |
Headers | show |
Series | [ovs-dev] selinux: update for netlink socket types | expand |
On Wed, 17 Apr 2019 at 13:07, Aaron Conole <aconole@redhat.com> wrote: > > These are used for interfacing with conntrack, as well as by some > DPDK PMDs Did you get these with audit2allow? If so, then looks good to me. > > Signed-off-by: Aaron Conole <aconole@redhat.com> > --- > selinux/openvswitch-custom.te.in | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in > index 26495828a..2adaf231f 100644 > --- a/selinux/openvswitch-custom.te.in > +++ b/selinux/openvswitch-custom.te.in > @@ -49,6 +49,10 @@ require { > class filesystem getattr; > class lnk_file { read open }; > class netlink_audit_socket { create nlmsg_relay audit_write read write }; > + class netlink_netfilter_socket { create nlmsg_relay audit_write read write }; > +@begin_dpdk@ > + class netlink_rdma_socket { setopt bind create }; > +@end_dpdk@ > class netlink_socket { setopt getopt create connect getattr write read }; > class sock_file { write }; > class system { module_load module_request }; > @@ -75,6 +79,10 @@ domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load > #============= openvswitch_t ============== > allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw }; > allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write }; > +allow openvswitch_t self:netlink_netfilter_socket { create nlmsg_relay audit_write read write }; > +@begin_dpdk@ > +allow openvswitch_t self:netlink_rdma_socket { setopt bind create }; > +@end_dpdk@ > allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read }; > > allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans }; > -- > 2.19.1 >
Ansis Atteka <ansisatteka@gmail.com> writes: > On Wed, 17 Apr 2019 at 13:07, Aaron Conole <aconole@redhat.com> wrote: >> >> These are used for interfacing with conntrack, as well as by some >> DPDK PMDs > > Did you get these with audit2allow? If so, then looks good to me. Yes. Sorry, I should have put the AVCs and the resulting permissions stuff in the commit message. I'll do that next time. >> Signed-off-by: Aaron Conole <aconole@redhat.com> >> --- >> selinux/openvswitch-custom.te.in | 8 ++++++++ >> 1 file changed, 8 insertions(+) >> >> diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in >> index 26495828a..2adaf231f 100644 >> --- a/selinux/openvswitch-custom.te.in >> +++ b/selinux/openvswitch-custom.te.in >> @@ -49,6 +49,10 @@ require { >> class filesystem getattr; >> class lnk_file { read open }; >> class netlink_audit_socket { create nlmsg_relay audit_write read write }; >> + class netlink_netfilter_socket { create nlmsg_relay audit_write read write }; >> +@begin_dpdk@ >> + class netlink_rdma_socket { setopt bind create }; >> +@end_dpdk@ >> class netlink_socket { setopt getopt create connect getattr write read }; >> class sock_file { write }; >> class system { module_load module_request }; >> @@ -75,6 +79,10 @@ domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load >> #============= openvswitch_t ============== >> allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw }; >> allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write }; >> +allow openvswitch_t self:netlink_netfilter_socket { create nlmsg_relay audit_write read write }; >> +@begin_dpdk@ >> +allow openvswitch_t self:netlink_rdma_socket { setopt bind create }; >> +@end_dpdk@ >> allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read }; >> >> allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans }; >> -- >> 2.19.1 >>
On Thu, 18 Apr 2019 at 14:00, Aaron Conole <aconole@redhat.com> wrote: > > Ansis Atteka <ansisatteka@gmail.com> writes: > > > On Wed, 17 Apr 2019 at 13:07, Aaron Conole <aconole@redhat.com> wrote: > >> > >> These are used for interfacing with conntrack, as well as by some > >> DPDK PMDs > > > > Did you get these with audit2allow? If so, then looks good to me. > > Yes. Sorry, I should have put the AVCs and the resulting permissions > stuff in the commit message. I'll do that next time. Acked-by: Ansis Atteka <aatteka@ovn.org> Pushed it to master branch. > > >> Signed-off-by: Aaron Conole <aconole@redhat.com> > >> --- > >> selinux/openvswitch-custom.te.in | 8 ++++++++ > >> 1 file changed, 8 insertions(+) > >> > >> diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in > >> index 26495828a..2adaf231f 100644 > >> --- a/selinux/openvswitch-custom.te.in > >> +++ b/selinux/openvswitch-custom.te.in > >> @@ -49,6 +49,10 @@ require { > >> class filesystem getattr; > >> class lnk_file { read open }; > >> class netlink_audit_socket { create nlmsg_relay audit_write read write }; > >> + class netlink_netfilter_socket { create nlmsg_relay audit_write read write }; > >> +@begin_dpdk@ > >> + class netlink_rdma_socket { setopt bind create }; > >> +@end_dpdk@ > >> class netlink_socket { setopt getopt create connect getattr write read }; > >> class sock_file { write }; > >> class system { module_load module_request }; > >> @@ -75,6 +79,10 @@ domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load > >> #============= openvswitch_t ============== > >> allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw }; > >> allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write }; > >> +allow openvswitch_t self:netlink_netfilter_socket { create nlmsg_relay audit_write read write }; > >> +@begin_dpdk@ > >> +allow openvswitch_t self:netlink_rdma_socket { setopt bind create }; > >> +@end_dpdk@ > >> allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read }; > >> > >> allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans }; > >> -- > >> 2.19.1 > >>
Ansis Atteka <ansisatteka@gmail.com> writes: > On Thu, 18 Apr 2019 at 14:00, Aaron Conole <aconole@redhat.com> wrote: >> >> Ansis Atteka <ansisatteka@gmail.com> writes: >> >> > On Wed, 17 Apr 2019 at 13:07, Aaron Conole <aconole@redhat.com> wrote: >> >> >> >> These are used for interfacing with conntrack, as well as by some >> >> DPDK PMDs >> > >> > Did you get these with audit2allow? If so, then looks good to me. >> >> Yes. Sorry, I should have put the AVCs and the resulting permissions >> stuff in the commit message. I'll do that next time. > > > > Acked-by: Ansis Atteka <aatteka@ovn.org> > > Pushed it to master branch. Thanks, Ansis! >> >> >> Signed-off-by: Aaron Conole <aconole@redhat.com> >> >> --- >> >> selinux/openvswitch-custom.te.in | 8 ++++++++ >> >> 1 file changed, 8 insertions(+) >> >> >> >> diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in >> >> index 26495828a..2adaf231f 100644 >> >> --- a/selinux/openvswitch-custom.te.in >> >> +++ b/selinux/openvswitch-custom.te.in >> >> @@ -49,6 +49,10 @@ require { >> >> class filesystem getattr; >> >> class lnk_file { read open }; >> >> class netlink_audit_socket { create nlmsg_relay audit_write read write }; >> >> + class netlink_netfilter_socket { create nlmsg_relay audit_write read write }; >> >> +@begin_dpdk@ >> >> + class netlink_rdma_socket { setopt bind create }; >> >> +@end_dpdk@ >> >> class netlink_socket { setopt getopt create connect getattr write read }; >> >> class sock_file { write }; >> >> class system { module_load module_request }; >> >> @@ -75,6 +79,10 @@ domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load >> >> #============= openvswitch_t ============== >> >> allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw }; >> >> allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write }; >> >> +allow openvswitch_t self:netlink_netfilter_socket { create nlmsg_relay audit_write read write }; >> >> +@begin_dpdk@ >> >> +allow openvswitch_t self:netlink_rdma_socket { setopt bind create }; >> >> +@end_dpdk@ >> >> allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read }; >> >> >> >> allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans }; >> >> -- >> >> 2.19.1 >> >>
diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in index 26495828a..2adaf231f 100644 --- a/selinux/openvswitch-custom.te.in +++ b/selinux/openvswitch-custom.te.in @@ -49,6 +49,10 @@ require { class filesystem getattr; class lnk_file { read open }; class netlink_audit_socket { create nlmsg_relay audit_write read write }; + class netlink_netfilter_socket { create nlmsg_relay audit_write read write }; +@begin_dpdk@ + class netlink_rdma_socket { setopt bind create }; +@end_dpdk@ class netlink_socket { setopt getopt create connect getattr write read }; class sock_file { write }; class system { module_load module_request }; @@ -75,6 +79,10 @@ domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load #============= openvswitch_t ============== allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw }; allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write }; +allow openvswitch_t self:netlink_netfilter_socket { create nlmsg_relay audit_write read write }; +@begin_dpdk@ +allow openvswitch_t self:netlink_rdma_socket { setopt bind create }; +@end_dpdk@ allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read }; allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans };
These are used for interfacing with conntrack, as well as by some DPDK PMDs Signed-off-by: Aaron Conole <aconole@redhat.com> --- selinux/openvswitch-custom.te.in | 8 ++++++++ 1 file changed, 8 insertions(+)