-
Notifications
You must be signed in to change notification settings - Fork 30
/
Copy pathos-ovs.te
131 lines (105 loc) · 3.37 KB
/
os-ovs.te
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
#
# openstack-selinux policy for RHEL7
#
# Allow openvswitch to write to files in /tmp
#
# Author: Lon Hohberger <[email protected]>
#
policy_module(os-ovs,0.1)
gen_require(`
type openvswitch_t;
type neutron_t;
type openvswitch_tmp_t;
type svirt_t;
type sysctl_net_t;
type unreserved_port_t;
type init_tmp_t;
type tun_tap_device_t;
type svirt_t;
type svirt_tmpfs_t;
type virt_cache_t;
type spc_t;
class dir search;
class file { write read getattr open };
class tcp_socket name_bind;
class tun_socket create;
class chr_file open;
class netlink_generic_socket create_socket_perms;
class netlink_audit_socket { create nlmsg_relay read write };
class capability audit_write;
class packet_socket create_socket_perms;
class unix_stream_socket { read write connectto };
')
# Bugzilla 1108187
allow openvswitch_t init_tmp_t:file write;
# Bugzilla 1259419
swift_manage_data_files(openvswitch_t)
# Bugzilla 1284268
corenet_rw_inherited_tun_tap_dev(openvswitch_t)
allow openvswitch_t self:tun_socket create;
allow openvswitch_t tun_tap_device_t:chr_file open;
# Bugzilla 1284268
corenet_tcp_bind_ovsdb_port(openvswitch_t)
# Bugzilla 1372453
corenet_tcp_connect_vnc_port(openvswitch_t)
# Bugzilla 1397537
allow openvswitch_t self:netlink_socket create_socket_perms;
allow svirt_t openvswitch_t:unix_stream_socket connectto;
exec_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
kernel_stream_connect(openvswitch_t)
corenet_rw_tun_tap_dev(openvswitch_t)
dev_rw_vfio_dev(openvswitch_t)
fs_manage_hugetlbfs_files(openvswitch_t)
fs_manage_hugetlbfs_dirs(openvswitch_t)
sysnet_exec_ifconfig(openvswitch_t)
# bugzilla #1419418
allow openvswitch_t self:netlink_generic_socket create_socket_perms;
# bugzilla #1431556
allow openvswitch_t virt_cache_t:dir list_dir_perms;
allow openvswitch_t virt_cache_t:sock_file manage_sock_file_perms;
allow svirt_t virt_cache_t:sock_file manage_sock_file_perms;
optional_policy(`
hostname_exec(openvswitch_t)
')
optional_policy(`
virt_manage_images(openvswitch_t)
virt_stream_connect_svirt(openvswitch_t)
')
# bugzilla #1431556
allow openvswitch_t self:packet_socket create_socket_perms;
allow openvswitch_t self:capability net_raw;
optional_policy(`
gen_require(`
type neutron_t;
')
allow openvswitch_t neutron_t:dir search;
')
# bugzilla #1448887
#
# ovs-vsctl tries to read /proc/[ppid]/cmdline in order to
# Print debugging information. Allowing OVS to read all of
# neutron_t labeled files so the parent's cmdline can be
# printed is not worth this information at this time
#
dontaudit openvswitch_t neutron_t:file { read open getattr };
# bugzilla #1489863
#
# Something unsets nis_enabled; this works around that by
# enabling binding to reserved and unreserved ports (bugzillas
# #1259419, #1310383)
corenet_tcp_connect_all_ports(openvswitch_t)
# #1498797
allow openvswitch_t self:capability { audit_write };
allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay read write };
gen_tunable(os_openvswitch_dac_override, false)
tunable_policy(`os_openvswitch_dac_override',`
allow openvswitch_t self:capability dac_override;
')
# #1542107
allow openvswitch_t svirt_tmpfs_t:file { read write };
# #1554964
corenet_tcp_bind_all_ports(openvswitch_t)
# #1572510
allow openvswitch_t svirt_t:unix_stream_socket { read write };
# bugzilla #1707840
allow openvswitch_t spc_t:unix_stream_socket { read write };