2016-07-22 14:10:51 -07:00
|
|
|
module openvswitch-custom 1.0.1;
|
2016-01-19 09:59:12 -08:00
|
|
|
|
|
|
|
|
require {
|
|
|
|
|
type openvswitch_t;
|
2017-08-31 19:22:45 -04:00
|
|
|
type openvswitch_rw_t;
|
2016-07-22 14:10:51 -07:00
|
|
|
type openvswitch_tmp_t;
|
2017-08-31 19:22:45 -04:00
|
|
|
type openvswitch_var_run_t;
|
|
|
|
|
|
2016-07-22 14:10:51 -07:00
|
|
|
type ifconfig_exec_t;
|
|
|
|
|
type hostname_exec_t;
|
2017-08-31 19:22:45 -04:00
|
|
|
type tun_tap_device_t;
|
|
|
|
|
|
|
|
|
|
@begin_dpdk@
|
|
|
|
|
type hugetlbfs_t;
|
|
|
|
|
type kernel_t;
|
|
|
|
|
type svirt_image_t;
|
|
|
|
|
type vfio_device_t;
|
|
|
|
|
@end_dpdk@
|
|
|
|
|
|
|
|
|
|
class capability { dac_override audit_write };
|
2017-09-01 13:17:38 -04:00
|
|
|
class chr_file { write getattr read open ioctl };
|
2017-08-31 19:22:45 -04:00
|
|
|
class dir { write remove_name add_name lock read };
|
|
|
|
|
class file { write getattr read open execute execute_no_trans create unlink };
|
|
|
|
|
class netlink_audit_socket { create nlmsg_relay audit_write read write };
|
2016-01-19 09:59:12 -08:00
|
|
|
class netlink_socket { setopt getopt create connect getattr write read };
|
2017-08-31 19:22:45 -04:00
|
|
|
class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom };
|
|
|
|
|
|
|
|
|
|
@begin_dpdk@
|
|
|
|
|
class tun_socket { relabelfrom relabelto create };
|
|
|
|
|
@end_dpdk@
|
2016-01-19 09:59:12 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#============= openvswitch_t ==============
|
2017-08-31 19:22:45 -04:00
|
|
|
allow openvswitch_t self:capability { dac_override audit_write };
|
|
|
|
|
allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write };
|
2016-01-19 09:59:12 -08:00
|
|
|
allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read };
|
2017-08-31 19:22:45 -04:00
|
|
|
|
2016-07-22 14:10:51 -07:00
|
|
|
allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans };
|
|
|
|
|
allow openvswitch_t ifconfig_exec_t:file { read getattr open execute execute_no_trans };
|
2017-08-31 19:22:45 -04:00
|
|
|
|
|
|
|
|
allow openvswitch_t openvswitch_rw_t:dir { write remove_name add_name lock read };
|
|
|
|
|
allow openvswitch_t openvswitch_rw_t:file { write getattr read open execute execute_no_trans create unlink };
|
2016-07-22 14:10:51 -07:00
|
|
|
allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans };
|
2017-08-31 19:22:45 -04:00
|
|
|
allow openvswitch_t openvswitch_tmp_t:unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom };
|
|
|
|
|
allow openvswitch_t tun_tap_device_t:chr_file { read write getattr open ioctl };
|
|
|
|
|
|
|
|
|
|
@begin_dpdk@
|
|
|
|
|
allow openvswitch_t hugetlbfs_t:dir { write remove_name add_name lock read };
|
|
|
|
|
allow openvswitch_t hugetlbfs_t:file { create unlink };
|
|
|
|
|
allow openvswitch_t kernel_t:unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom };
|
|
|
|
|
allow openvswitch_t self:tun_socket { relabelfrom relabelto create };
|
|
|
|
|
allow openvswitch_t svirt_image_t:file { getattr read write };
|
|
|
|
|
allow openvswitch_t vfio_device_t:chr_file { read write open ioctl getattr };
|
|
|
|
|
@end_dpdk@
|
