git.proxmox.com Git - mirror

author	Yi-Hung Wei <yihung.wei@gmail.com>
	Thu, 3 Sep 2020 17:02:46 +0000 (10:02 -0700)
committer	Ilya Maximets <i.maximets@ovn.org>
	Tue, 15 Sep 2020 22:19:37 +0000 (00:19 +0200)
commit	8d56db08831af84a5a37e16f3df24e6e22901dcd
tree	af843af2fb0b6cbb9c98c1dacecf50000faf3f99	tree
parent	32ae689274032eecc38d569d47576f191d746c5d	commit \| diff

selinux: Add missing permissions for ovs-kmod-ctl.

On RHEL 8,  a SELinux policy is missing when ovs-kmod-ctl use modprobe
to load kernel modules.  This patch adds the missing permissions based
on /var/log/audit/audit.log

Example log of the AVC violations:
  type=AVC msg=audit(1599075387.136:65): avc:  denied  { read } for
  pid=1472 comm="modprobe" name="modules.alias.bin" dev="dm-0" ino=586629
  scontext=system_u:system_r:openvswitch_load_module_t:s0
  tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0

  type=AVC msg=audit(1599085253.148:45): avc:  denied  { open } for pid=1355
  comm="modprobe" path="/usr/lib/modules/4.18.0-193.el8.x86_64/modules.dep.bin"
  dev="dm-0" ino=624258 scontext=system_u:system_r:openvswitch_load_module_t:s0
  tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0

VMWare-BZ: #2633569
Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com>
Acked-by: Greg Rose <gvrose8192@gmail.com>
Acked-by: Ansis Atteka <aatteka@ovn.org>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>