[mirror_ovs.git] / selinux / openvswitch-custom.te.in

module openvswitch-custom 1.0.1;

require {
        type openvswitch_t;
        type openvswitch_rw_t;
        type openvswitch_tmp_t;
        type openvswitch_var_run_t;

        type ifconfig_exec_t;
        type hostname_exec_t;
        type tun_tap_device_t;

@begin_dpdk@
        type hugetlbfs_t;
        type kernel_t;
        type svirt_image_t;
        type vfio_device_t;
@end_dpdk@

        class capability { dac_override audit_write };
        class chr_file { write getattr read open ioctl };
        class dir { write remove_name add_name lock read };
        class file { write getattr read open execute execute_no_trans create unlink };
        class netlink_audit_socket { create nlmsg_relay audit_write read write };
        class netlink_socket { setopt getopt create connect getattr write read };
        class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom };

@begin_dpdk@
        class tun_socket { relabelfrom relabelto create };
@end_dpdk@
}

#============= openvswitch_t ==============
allow openvswitch_t self:capability { dac_override audit_write };
allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write };
allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read };

allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans };
allow openvswitch_t ifconfig_exec_t:file { read getattr open execute execute_no_trans };

allow openvswitch_t openvswitch_rw_t:dir { write remove_name add_name lock read };
allow openvswitch_t openvswitch_rw_t:file { write getattr read open execute execute_no_trans create unlink };
allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans };
allow openvswitch_t openvswitch_tmp_t:unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom };
allow openvswitch_t tun_tap_device_t:chr_file { read write getattr open ioctl };

@begin_dpdk@
allow openvswitch_t hugetlbfs_t:dir { write remove_name add_name lock read };
allow openvswitch_t hugetlbfs_t:file { create unlink };
allow openvswitch_t kernel_t:unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom };
allow openvswitch_t self:tun_socket { relabelfrom relabelto create };
allow openvswitch_t svirt_image_t:file { getattr read write };
allow openvswitch_t vfio_device_t:chr_file { read write open ioctl getattr };
@end_dpdk@
Commit	Line	Data
5e2e3ada	1	module openvswitch-custom 1.0.1;
9b897c91 AA	2
	3	require {
	4	type openvswitch_t;
84d27233	5	type openvswitch_rw_t;
5e2e3ada	6	type openvswitch_tmp_t;
84d27233 AC	7	type openvswitch_var_run_t;
84d27233 AC	8
5e2e3ada JS	9	type ifconfig_exec_t;
5e2e3ada JS	10	type hostname_exec_t;
84d27233 AC	11	type tun_tap_device_t;
	12
	13	@begin_dpdk@
	14	type hugetlbfs_t;
	15	type kernel_t;
	16	type svirt_image_t;
	17	type vfio_device_t;
	18	@end_dpdk@
	19
	20	class capability { dac_override audit_write };
d5f851e6	21	class chr_file { write getattr read open ioctl };
84d27233 AC	22	class dir { write remove_name add_name lock read };
	23	class file { write getattr read open execute execute_no_trans create unlink };
	24	class netlink_audit_socket { create nlmsg_relay audit_write read write };
9b897c91	25	class netlink_socket { setopt getopt create connect getattr write read };
84d27233 AC	26	class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom };
	27
	28	@begin_dpdk@
84d27233 AC	29	class tun_socket { relabelfrom relabelto create };
84d27233 AC	30	@end_dpdk@
9b897c91 AA	31	}
	32
	33	#============= openvswitch_t ==============
84d27233 AC	34	allow openvswitch_t self:capability { dac_override audit_write };
84d27233 AC	35	allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write };
9b897c91	36	allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read };
84d27233	37
5e2e3ada JS	38	allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans };
5e2e3ada JS	39	allow openvswitch_t ifconfig_exec_t:file { read getattr open execute execute_no_trans };
84d27233 AC	40
	41	allow openvswitch_t openvswitch_rw_t:dir { write remove_name add_name lock read };
	42	allow openvswitch_t openvswitch_rw_t:file { write getattr read open execute execute_no_trans create unlink };
5e2e3ada	43	allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans };
84d27233 AC	44	allow openvswitch_t openvswitch_tmp_t:unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom };
	45	allow openvswitch_t tun_tap_device_t:chr_file { read write getattr open ioctl };
	46
	47	@begin_dpdk@
	48	allow openvswitch_t hugetlbfs_t:dir { write remove_name add_name lock read };
	49	allow openvswitch_t hugetlbfs_t:file { create unlink };
	50	allow openvswitch_t kernel_t:unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom };
	51	allow openvswitch_t self:tun_socket { relabelfrom relabelto create };
	52	allow openvswitch_t svirt_image_t:file { getattr read write };
	53	allow openvswitch_t vfio_device_t:chr_file { read write open ioctl getattr };
	54	@end_dpdk@