selinux/openvswitch-custom.te.in

   1 # SPDX-License-Identifier: Apache-2.0
   2
   3 module openvswitch-custom @VERSION@;
   4
   5 require {
   6         role system_r;
   7         role object_r;
   8
   9         type openvswitch_t;
  10         type openvswitch_rw_t;
  11         type openvswitch_tmp_t;
  12         type openvswitch_var_run_t;
  13
  14         type bin_t;
  15         type ifconfig_exec_t;
  16         type init_t;
  17         type init_var_run_t;
  18         type insmod_exec_t;
  19         type hostname_exec_t;
  20         type modules_conf_t;
  21         type modules_object_t;
  22         type passwd_file_t;
  23         type plymouth_exec_t;
  24         type proc_t;
  25         type shell_exec_t;
  26         type sssd_t;
  27         type sssd_public_t;
  28         type sssd_var_lib_t;
  29         type sysfs_t;
  30         type systemd_unit_file_t;
  31         type tun_tap_device_t;
  32
  33 @begin_dpdk@
  34         type hugetlbfs_t;
  35         type kernel_t;
  36         type svirt_t;
  37         type svirt_image_t;
  38         type svirt_tmpfs_t;
  39         type vfio_device_t;
  40         type zero_device_t;
  41 @end_dpdk@
  42
  43         class capability { dac_override audit_write net_broadcast net_raw };
  44         class chr_file { write getattr read open ioctl map };
  45         class dir { write remove_name add_name lock read getattr search open };
  46         class fd { use };
  47         class file { map write getattr read open execute execute_no_trans create unlink map entrypoint lock ioctl };
  48         class fifo_file { getattr read write append ioctl lock open };
  49         class filesystem getattr;
  50         class lnk_file { read open };
  51         class netlink_audit_socket { create nlmsg_relay audit_write read write };
  52         class netlink_socket { setopt getopt create connect getattr write read };
  53         class sock_file { write };
  54         class system module_load;
  55         class process { sigchld signull transition noatsecure siginh rlimitinh };
  56         class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom ioctl };
  57
  58 @begin_dpdk@
  59         class sock_file { read append getattr open };
  60         class tun_socket { relabelfrom relabelto create };
  61 @end_dpdk@
  62 }
  63
  64 #============= Set up the transition domain =============
  65 type openvswitch_load_module_exec_t;
  66 type openvswitch_load_module_t;
  67
  68 domain_type(openvswitch_load_module_exec_t);
  69 domain_type(openvswitch_load_module_t);
  70 role object_r types openvswitch_load_module_exec_t;
  71 role system_r types openvswitch_load_module_t;
  72 domain_entry_file(openvswitch_load_module_t, openvswitch_load_module_exec_t);
  73 domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load_module_t);
  74
  75 #============= openvswitch_t ==============
  76 allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw };
  77 allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write };
  78 allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read };
  79
  80 allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans };
  81 allow openvswitch_t ifconfig_exec_t:file { read getattr open execute execute_no_trans };
  82
  83 allow openvswitch_t openvswitch_rw_t:dir { write remove_name add_name lock read getattr open search };
  84 allow openvswitch_t openvswitch_rw_t:file { write getattr read open execute execute_no_trans create unlink };
  85 allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans };
  86 allow openvswitch_t openvswitch_tmp_t:unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom };
  87 allow openvswitch_t openvswitch_var_run_t:dir { getattr read open search write remove_name add_name lock };
  88 allow openvswitch_t openvswitch_var_run_t:file { map open read write getattr create unlink };
  89 allow openvswitch_t tun_tap_device_t:chr_file { read write getattr open ioctl };
  90
  91 @begin_dpdk@
  92 allow openvswitch_t hugetlbfs_t:dir { write remove_name add_name lock read };
  93 allow openvswitch_t hugetlbfs_t:file { create unlink map };
  94 allow openvswitch_t kernel_t:unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom };
  95 allow openvswitch_t self:tun_socket { relabelfrom relabelto create };
  96 allow openvswitch_t svirt_image_t:file { getattr read write };
  97 allow openvswitch_t svirt_tmpfs_t:file { read write };
  98 allow openvswitch_t svirt_tmpfs_t:sock_file { read write append getattr open };
  99 allow openvswitch_t svirt_t:unix_stream_socket { connectto read write getattr sendto recvfrom setopt };
 100 allow openvswitch_t vfio_device_t:chr_file { read write open ioctl getattr };
 101 allow openvswitch_t zero_device_t:chr_file { read open getattr map };
 102 @end_dpdk@
 103
 104 #============= Transition allows =============
 105 type_transition openvswitch_t openvswitch_load_module_exec_t:process openvswitch_load_module_t;
 106 allow openvswitch_t openvswitch_load_module_exec_t:file { execute read open getattr };
 107 allow openvswitch_t openvswitch_load_module_t:process transition;
 108
 109 allow openvswitch_load_module_t bin_t:file { execute execute_no_trans map };
 110 allow openvswitch_load_module_t init_t:unix_stream_socket { getattr ioctl read write };
 111 allow openvswitch_load_module_t init_var_run_t:dir { getattr read open search };
 112 allow openvswitch_load_module_t insmod_exec_t:file { execute execute_no_trans getattr map open read };
 113 allow openvswitch_load_module_t modules_conf_t:dir { getattr open read search };
 114 allow openvswitch_load_module_t modules_conf_t:file { getattr open read };
 115 allow openvswitch_load_module_t modules_object_t:file { map getattr open read };
 116 allow openvswitch_load_module_t modules_object_t:dir { getattr open read search };
 117 allow openvswitch_load_module_t openvswitch_load_module_exec_t:file { entrypoint };
 118 allow openvswitch_load_module_t passwd_file_t:file { getattr open read };
 119 allow openvswitch_load_module_t plymouth_exec_t:file { getattr read open execute execute_no_trans map };
 120 allow openvswitch_load_module_t proc_t:file { getattr open read };
 121 allow openvswitch_load_module_t self:system module_load;
 122 allow openvswitch_load_module_t self:process { siginh noatsecure rlimitinh siginh };
 123 allow openvswitch_load_module_t shell_exec_t:file { map execute read open getattr };
 124 allow openvswitch_load_module_t sssd_public_t:dir { getattr open read search };
 125 allow openvswitch_load_module_t sssd_public_t:file { getattr map open read };
 126 allow openvswitch_load_module_t sssd_t:unix_stream_socket connectto;
 127 allow openvswitch_load_module_t sssd_var_lib_t:dir { getattr open read search };
 128 allow openvswitch_load_module_t sssd_var_lib_t:sock_file write;
 129 allow openvswitch_load_module_t sysfs_t:dir { getattr open read search };
 130 allow openvswitch_load_module_t sysfs_t:file { open read };
 131 allow openvswitch_load_module_t sysfs_t:lnk_file { read open };
 132 allow openvswitch_load_module_t systemd_unit_file_t:dir getattr;
 133
 134 # no need to grant search permissions for this - and no need to emit
 135 # an error, either.
 136 dontaudit openvswitch_load_module_t openvswitch_var_run_t:dir { search };
 137
 138 kernel_load_module(openvswitch_load_module_t);