From 5ab25718492e83565e4376577510a151541714ee Mon Sep 17 00:00:00 2001
From: zhangpan <zhangpan103@h-partners.com>
Date: Fri, 29 Mar 2024 15:26:06 +0800
Subject: [PATCH] fix selinux err

add openvswitch-ipsec.service policy

---
 selinux/openvswitch-custom.te.in | 42 ++++++++++++++++++++++++++++----
 1 file changed, 37 insertions(+), 5 deletions(-)

diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in
index 9f51f60..1b34147 100644
--- a/selinux/openvswitch-custom.te.in
+++ b/selinux/openvswitch-custom.te.in
@@ -12,11 +12,22 @@ require {
         type openvswitch_var_run_t;
 
         type bin_t;
+        type etc_t;
         type ifconfig_exec_t;
+        type ipsec_t;
+        type ipsec_conf_file_t;
+        type ipsec_exec_t;
+        type ipsec_key_file_t;
+        type ipsec_mgmt_exec_t;
+        type ipsec_mgmt_unit_file_t;
+        type ipsec_var_run_t;
         type init_t;
         type init_var_run_t;
+        type initrc_t;
         type insmod_exec_t;
         type kernel_t;
+        type ldconfig_exec_t;
+        type systemd_systemctl_exec_t;
         type hostname_exec_t;
         type modules_conf_t;
         type modules_dep_t;
@@ -45,7 +56,7 @@ require {
         class chr_file { write getattr read open ioctl map };
         class dir { write remove_name add_name lock read getattr search open };
         class fd { use };
-        class file { map write getattr read open execute execute_no_trans create unlink map entrypoint lock ioctl };
+        class file { setattr map write getattr read open execute execute_no_trans create unlink map entrypoint lock ioctl };
         class fifo_file { getattr read write append ioctl lock open };
         class filesystem getattr;
         class lnk_file { read open };
@@ -55,11 +66,12 @@ require {
         class netlink_rdma_socket { setopt bind create };
 @end_dpdk@
         class netlink_socket { setopt getopt create connect getattr write read };
-        class sock_file { write };
+        class sock_file { read write };
         class system { module_load module_request };
         class process { sigchld signull transition noatsecure siginh rlimitinh };
         class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom ioctl };
 
+        class service { start status };
 @begin_dpdk@
         class sock_file { read append getattr open };
         class tun_socket { relabelfrom relabelto create };
@@ -78,9 +90,28 @@ domain_entry_file(openvswitch_load_module_t, openvswitch_load_module_exec_t);
 domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load_module_t);
 
 #============= openvswitch_t ==============
-allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw };
-allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write };
-allow openvswitch_t self:netlink_netfilter_socket { create nlmsg_relay audit_write read write };
+allow openvswitch_t etc_t:dir { write };
+allow openvswitch_t ifconfig_exec_t:file map;
+allow openvswitch_t init_t:file { getattr open read };
+allow openvswitch_t init_t:lnk_file read;
+allow openvswitch_t init_t:unix_stream_socket connectto;
+allow openvswitch_t ipsec_t:unix_stream_socket connectto;
+allow openvswitch_t ipsec_conf_file_t:file { getattr ioctl open read write };
+allow openvswitch_t ipsec_exec_t:file { execute execute_no_trans map open read };
+allow openvswitch_t ipsec_key_file_t:dir { search add_name remove_name write };
+allow openvswitch_t ipsec_key_file_t:file { create getattr setattr ioctl lock open read write unlink };
+allow openvswitch_t ipsec_mgmt_exec_t:file { execute execute_no_trans getattr ioctl open read };
+allow openvswitch_t ipsec_mgmt_unit_file_t:service { start status };
+allow openvswitch_t ipsec_var_run_t:sock_file { read write };
+allow openvswitch_t ldconfig_exec_t:file execute;
+allow openvswitch_t ldconfig_exec_t:file map;
+allow openvswitch_t ldconfig_exec_t:file { execute execute_no_trans open read };
+allow openvswitch_t systemd_systemctl_exec_t:file map;
+allow openvswitch_t systemd_systemctl_exec_t:file { execute execute_no_trans getattr open read };
+
+allow openvswitch_t self:capability { dac_override net_broadcast net_raw };
+allow openvswitch_t self:netlink_audit_socket { create read write };
+allow openvswitch_t self:netlink_netfilter_socket { create read write };
 @begin_dpdk@
 allow openvswitch_t self:netlink_rdma_socket { setopt bind create };
 @end_dpdk@
@@ -118,6 +149,7 @@ allow openvswitch_t openvswitch_load_module_t:process transition;
 allow openvswitch_load_module_t bin_t:file { execute execute_no_trans map };
 allow openvswitch_load_module_t init_t:unix_stream_socket { getattr ioctl read write };
 allow openvswitch_load_module_t init_var_run_t:dir { getattr read open search };
+allow openvswitch_load_module_t initrc_t:fifo_file ioctl;
 allow openvswitch_load_module_t insmod_exec_t:file { execute execute_no_trans getattr map open read };
 allow openvswitch_load_module_t kernel_t:system module_request;
 allow openvswitch_load_module_t modules_conf_t:dir { getattr open read search };
-- 
2.27.0