packages/openvswitch
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
openvswitch/fix-selinux-err.patch
zhangpan cb5cc1ddd2 add openvswitch-ipsec.service policy
2024-03-29 09:35:52 +00:00

105 lines
5.1 KiB
Diff
Raw Permalink Blame History

From 5ab25718492e83565e4376577510a151541714ee Mon Sep 17 00:00:00 2001
From: zhangpan <zhangpan103@h-partners.com>
Date: Fri, 29 Mar 2024 15:26:06 +0800
Subject: [PATCH] fix selinux err
add openvswitch-ipsec.service policy
---
selinux/openvswitch-custom.te.in | 42 ++++++++++++++++++++++++++++----
1 file changed, 37 insertions(+), 5 deletions(-)
diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in
index 9f51f60..1b34147 100644
--- a/selinux/openvswitch-custom.te.in
+++ b/selinux/openvswitch-custom.te.in
@@ -12,11 +12,22 @@ require {
type openvswitch_var_run_t;
type bin_t;
+ type etc_t;
type ifconfig_exec_t;
+ type ipsec_t;
+ type ipsec_conf_file_t;
+ type ipsec_exec_t;
+ type ipsec_key_file_t;
+ type ipsec_mgmt_exec_t;
+ type ipsec_mgmt_unit_file_t;
+ type ipsec_var_run_t;
type init_t;
type init_var_run_t;
+ type initrc_t;
type insmod_exec_t;
type kernel_t;
+ type ldconfig_exec_t;
+ type systemd_systemctl_exec_t;
type hostname_exec_t;
type modules_conf_t;
type modules_dep_t;
@@ -45,7 +56,7 @@ require {
class chr_file { write getattr read open ioctl map };
class dir { write remove_name add_name lock read getattr search open };
class fd { use };
- class file { map write getattr read open execute execute_no_trans create unlink map entrypoint lock ioctl };
+ class file { setattr map write getattr read open execute execute_no_trans create unlink map entrypoint lock ioctl };
class fifo_file { getattr read write append ioctl lock open };
class filesystem getattr;
class lnk_file { read open };
@@ -55,11 +66,12 @@ require {
class netlink_rdma_socket { setopt bind create };
@end_dpdk@
class netlink_socket { setopt getopt create connect getattr write read };
- class sock_file { write };
+ class sock_file { read write };
class system { module_load module_request };
class process { sigchld signull transition noatsecure siginh rlimitinh };
class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom ioctl };
+ class service { start status };
@begin_dpdk@
class sock_file { read append getattr open };
class tun_socket { relabelfrom relabelto create };
@@ -78,9 +90,28 @@ domain_entry_file(openvswitch_load_module_t, openvswitch_load_module_exec_t);
domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load_module_t);
#============= openvswitch_t ==============
-allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw };
-allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write };
-allow openvswitch_t self:netlink_netfilter_socket { create nlmsg_relay audit_write read write };
+allow openvswitch_t etc_t:dir { write };
+allow openvswitch_t ifconfig_exec_t:file map;
+allow openvswitch_t init_t:file { getattr open read };
+allow openvswitch_t init_t:lnk_file read;
+allow openvswitch_t init_t:unix_stream_socket connectto;
+allow openvswitch_t ipsec_t:unix_stream_socket connectto;
+allow openvswitch_t ipsec_conf_file_t:file { getattr ioctl open read write };
+allow openvswitch_t ipsec_exec_t:file { execute execute_no_trans map open read };
+allow openvswitch_t ipsec_key_file_t:dir { search add_name remove_name write };
+allow openvswitch_t ipsec_key_file_t:file { create getattr setattr ioctl lock open read write unlink };
+allow openvswitch_t ipsec_mgmt_exec_t:file { execute execute_no_trans getattr ioctl open read };
+allow openvswitch_t ipsec_mgmt_unit_file_t:service { start status };
+allow openvswitch_t ipsec_var_run_t:sock_file { read write };
+allow openvswitch_t ldconfig_exec_t:file execute;
+allow openvswitch_t ldconfig_exec_t:file map;
+allow openvswitch_t ldconfig_exec_t:file { execute execute_no_trans open read };
+allow openvswitch_t systemd_systemctl_exec_t:file map;
+allow openvswitch_t systemd_systemctl_exec_t:file { execute execute_no_trans getattr open read };
+
+allow openvswitch_t self:capability { dac_override net_broadcast net_raw };
+allow openvswitch_t self:netlink_audit_socket { create read write };
+allow openvswitch_t self:netlink_netfilter_socket { create read write };
@begin_dpdk@
allow openvswitch_t self:netlink_rdma_socket { setopt bind create };
@end_dpdk@
@@ -118,6 +149,7 @@ allow openvswitch_t openvswitch_load_module_t:process transition;
allow openvswitch_load_module_t bin_t:file { execute execute_no_trans map };
allow openvswitch_load_module_t init_t:unix_stream_socket { getattr ioctl read write };
allow openvswitch_load_module_t init_var_run_t:dir { getattr read open search };
+allow openvswitch_load_module_t initrc_t:fifo_file ioctl;
allow openvswitch_load_module_t insmod_exec_t:file { execute execute_no_trans getattr map open read };
allow openvswitch_load_module_t kernel_t:system module_request;
allow openvswitch_load_module_t modules_conf_t:dir { getattr open read search };
--
2.27.0
Reference in New Issue View Git Blame Copy Permalink