selinux: move chr_file to non-dpdk as well

A last-minute change to the selinux policy caught by testing
incorrectly omitted moving a definition from non-dpdk to dpdk.

This moves the chr_file definition to a non-dpdk enabled permission,
which should allow non-dpdk enabled builds to work.

Fixes: 84d272330506 ("selinux: update policy to reflect non-root and dpdk support")
Signed-off-by: Aaron Conole <aconole@redhat.com>
Acked-by: Ansis Atteka <aatteka@ovn.org>

diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in
index 853de1618fd7ce0571d54a435511e7e1826b4e34..c1a774f0e950524d7490b18a329642fafda7775f 100644 (file)
--- a/selinux/openvswitch-custom.te.in
+++ b/selinux/openvswitch-custom.te.in
@@ -18,6 +18,7 @@ require {
 @end_dpdk@
 
         class capability { dac_override audit_write };
+        class chr_file { write getattr read open ioctl };
         class dir { write remove_name add_name lock read };
         class file { write getattr read open execute execute_no_trans create unlink };
         class netlink_audit_socket { create nlmsg_relay audit_write read write };
@@ -25,7 +26,6 @@ require {
         class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom };
 
 @begin_dpdk@
-        class chr_file { write getattr read open ioctl };
         class tun_socket { relabelfrom relabelto create };
 @end_dpdk@
 }