[ovs-dev] [PATCH 2/2] rhel: Allow openvswitch to get parent information

Flavio Leitner Mon, 25 Jul 2016 18:17:14 -0700

Updates SELinux to allow ovs-vsctl to get parent process
information and log that to the database:


record 241: 2016-07-26 00:59:47.418 "ovs-vsctl (invoked by /bin/bash
(pid 1589)): ovs-vsctl -t 10 -- --if-exist ...

Jul 25 12:57:35 localhost.localdomain audit[830]: AVC avc:  denied  {
search } for  pid=830 comm="ovs-vsctl" name="731" dev="proc" ino=14140
scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=dir permissive=0

Signed-off-by: Flavio Leitner <f...@redhat.com>
---
 selinux/openvswitch-custom.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/selinux/openvswitch-custom.te b/selinux/openvswitch-custom.te
index fc32b97..5739595 100644
--- a/selinux/openvswitch-custom.te
+++ b/selinux/openvswitch-custom.te
@@ -2,8 +2,13 @@ module openvswitch-custom 1.0;
 
 require {
         type openvswitch_t;
+        attribute domain;
         class netlink_socket { setopt getopt create connect getattr write read 
};
+        class dir { search };
+        class file { open getattr read };
 }
 
 #============= openvswitch_t ==============
 allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr 
write read };
+allow openvswitch_t domain:dir { search };
+allow openvswitch_t domain:file { open getattr read };
-- 
2.7.4

_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

[ovs-dev] [PATCH 2/2] rhel: Allow openvswitch to get parent information

Reply via email to