selinux: update for netlink socket types

These are used for interfacing with conntrack, as well as by some
DPDK PMDs

Signed-off-by: Aaron Conole <aconole@redhat.com>
Acked-by: Ansis Atteka <aatteka@ovn.org>

diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in
index 26495828a655572209d08d75178f737597eaaf5c..2adaf231fe63c5c76386cebe25f249ffd18fd50c 100644 (file)
--- a/selinux/openvswitch-custom.te.in
+++ b/selinux/openvswitch-custom.te.in
@@ -49,6 +49,10 @@ require {
         class filesystem getattr;
         class lnk_file { read open };
         class netlink_audit_socket { create nlmsg_relay audit_write read write };
+        class netlink_netfilter_socket { create nlmsg_relay audit_write read write };
+@begin_dpdk@
+        class netlink_rdma_socket { setopt bind create };
+@end_dpdk@
         class netlink_socket { setopt getopt create connect getattr write read };
         class sock_file { write };
         class system { module_load module_request };
@@ -75,6 +79,10 @@ domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load
 #============= openvswitch_t ==============
 allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw };
 allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write };
+allow openvswitch_t self:netlink_netfilter_socket { create nlmsg_relay audit_write read write };
+@begin_dpdk@
+allow openvswitch_t self:netlink_rdma_socket { setopt bind create };
+@end_dpdk@
 allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read };
 
 allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans };