From abf85df81a1458d0e97f5a001586898a70b79529 Mon Sep 17 00:00:00 2001 From: Aaron Conole Date: Wed, 17 Apr 2019 16:07:25 -0400 Subject: [PATCH] selinux: update for netlink socket types These are used for interfacing with conntrack, as well as by some DPDK PMDs Signed-off-by: Aaron Conole Acked-by: Ansis Atteka --- selinux/openvswitch-custom.te.in | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in index 26495828a..2adaf231f 100644 --- a/selinux/openvswitch-custom.te.in +++ b/selinux/openvswitch-custom.te.in @@ -49,6 +49,10 @@ require { class filesystem getattr; class lnk_file { read open }; class netlink_audit_socket { create nlmsg_relay audit_write read write }; + class netlink_netfilter_socket { create nlmsg_relay audit_write read write }; +@begin_dpdk@ + class netlink_rdma_socket { setopt bind create }; +@end_dpdk@ class netlink_socket { setopt getopt create connect getattr write read }; class sock_file { write }; class system { module_load module_request }; @@ -75,6 +79,10 @@ domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load #============= openvswitch_t ============== allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw }; allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write }; +allow openvswitch_t self:netlink_netfilter_socket { create nlmsg_relay audit_write read write }; +@begin_dpdk@ +allow openvswitch_t self:netlink_rdma_socket { setopt bind create }; +@end_dpdk@ allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read }; allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans }; -- 2.39.5