| Message ID | 82d350eef3f3eea29e191bc83b0e8ccd4145ba89.1533057524.git.tredaelli@redhat.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [ovs-dev] selinux: more changes to support newer hugetlbfs restrictions | expand |
Timothy Redaelli <tredaelli@redhat.com> writes: > The new 'map' action is needed for 'hugetlbfs_t:file' too. > > CC: Aaron Conole <aconole@redhat.com> > Fixes: d2675a146130 ("selinux: changes to support newer hugetlbfs restrictions") > > Signed-off-by: Timothy Redaelli <tredaelli@redhat.com> > --- Good catch. Acked-by: Aaron Conole <aconole@redhat.com>
On Tue, Jul 31, 2018 at 04:01:47PM -0400, Aaron Conole wrote: > Timothy Redaelli <tredaelli@redhat.com> writes: > > > The new 'map' action is needed for 'hugetlbfs_t:file' too. > > > > CC: Aaron Conole <aconole@redhat.com> > > Fixes: d2675a146130 ("selinux: changes to support newer hugetlbfs restrictions") > > > > Signed-off-by: Timothy Redaelli <tredaelli@redhat.com> > > --- > > Good catch. > > Acked-by: Aaron Conole <aconole@redhat.com> Thanks Timothy and Aaron. I applied this to master.
On Tue, Jul 31, 2018 at 01:35:33PM -0700, Ben Pfaff wrote: > On Tue, Jul 31, 2018 at 04:01:47PM -0400, Aaron Conole wrote: > > Timothy Redaelli <tredaelli@redhat.com> writes: > > > > > The new 'map' action is needed for 'hugetlbfs_t:file' too. > > > > > > CC: Aaron Conole <aconole@redhat.com> > > > Fixes: d2675a146130 ("selinux: changes to support newer hugetlbfs restrictions") > > > > > > Signed-off-by: Timothy Redaelli <tredaelli@redhat.com> > > > --- > > > > Good catch. > > > > Acked-by: Aaron Conole <aconole@redhat.com> > > Thanks Timothy and Aaron. I applied this to master. and branch-2.10.
diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in index 21de1136d..4a16e5eef 100644 --- a/selinux/openvswitch-custom.te.in +++ b/selinux/openvswitch-custom.te.in @@ -90,7 +90,7 @@ allow openvswitch_t tun_tap_device_t:chr_file { read write getattr open ioctl }; @begin_dpdk@ allow openvswitch_t hugetlbfs_t:dir { write remove_name add_name lock read }; -allow openvswitch_t hugetlbfs_t:file { create unlink }; +allow openvswitch_t hugetlbfs_t:file { create unlink map }; allow openvswitch_t kernel_t:unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom }; allow openvswitch_t self:tun_socket { relabelfrom relabelto create }; allow openvswitch_t svirt_image_t:file { getattr read write };
The new 'map' action is needed for 'hugetlbfs_t:file' too. CC: Aaron Conole <aconole@redhat.com> Fixes: d2675a146130 ("selinux: changes to support newer hugetlbfs restrictions") Signed-off-by: Timothy Redaelli <tredaelli@redhat.com> --- selinux/openvswitch-custom.te.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)