2018-06-01 14:28:47 -04:00
|
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
|
|
module openvswitch-custom @VERSION@;
|
2016-01-19 09:59:12 -08:00
|
|
|
|
|
|
|
|
require {
|
2018-06-01 14:28:45 -04:00
|
|
|
role system_r;
|
|
|
|
|
role object_r;
|
|
|
|
|
|
2016-01-19 09:59:12 -08:00
|
|
|
type openvswitch_t;
|
2017-08-31 19:22:45 -04:00
|
|
|
type openvswitch_rw_t;
|
2016-07-22 14:10:51 -07:00
|
|
|
type openvswitch_tmp_t;
|
2017-08-31 19:22:45 -04:00
|
|
|
type openvswitch_var_run_t;
|
|
|
|
|
|
2018-06-01 14:28:45 -04:00
|
|
|
type bin_t;
|
2016-07-22 14:10:51 -07:00
|
|
|
type ifconfig_exec_t;
|
2018-06-01 14:28:45 -04:00
|
|
|
type init_t;
|
|
|
|
|
type init_var_run_t;
|
|
|
|
|
type insmod_exec_t;
|
2019-01-07 15:48:19 -08:00
|
|
|
type kernel_t;
|
2016-07-22 14:10:51 -07:00
|
|
|
type hostname_exec_t;
|
2018-06-01 14:28:45 -04:00
|
|
|
type modules_conf_t;
|
2020-09-03 10:02:46 -07:00
|
|
|
type modules_dep_t;
|
2018-06-01 14:28:45 -04:00
|
|
|
type modules_object_t;
|
|
|
|
|
type passwd_file_t;
|
|
|
|
|
type plymouth_exec_t;
|
|
|
|
|
type proc_t;
|
|
|
|
|
type shell_exec_t;
|
|
|
|
|
type sssd_t;
|
|
|
|
|
type sssd_public_t;
|
|
|
|
|
type sssd_var_lib_t;
|
|
|
|
|
type sysfs_t;
|
|
|
|
|
type systemd_unit_file_t;
|
2017-08-31 19:22:45 -04:00
|
|
|
type tun_tap_device_t;
|
|
|
|
|
|
|
|
|
|
@begin_dpdk@
|
|
|
|
|
type hugetlbfs_t;
|
2018-02-27 09:21:52 -05:00
|
|
|
type svirt_t;
|
2017-08-31 19:22:45 -04:00
|
|
|
type svirt_image_t;
|
2018-02-19 09:55:43 -05:00
|
|
|
type svirt_tmpfs_t;
|
2017-08-31 19:22:45 -04:00
|
|
|
type vfio_device_t;
|
2018-07-18 10:53:03 -04:00
|
|
|
type zero_device_t;
|
2017-08-31 19:22:45 -04:00
|
|
|
@end_dpdk@
|
|
|
|
|
|
2018-06-01 14:28:46 -04:00
|
|
|
class capability { dac_override audit_write net_broadcast net_raw };
|
2018-07-18 10:53:03 -04:00
|
|
|
class chr_file { write getattr read open ioctl map };
|
2018-06-01 14:28:45 -04:00
|
|
|
class dir { write remove_name add_name lock read getattr search open };
|
|
|
|
|
class fd { use };
|
2018-07-18 10:53:03 -04:00
|
|
|
class file { map write getattr read open execute execute_no_trans create unlink map entrypoint lock ioctl };
|
2018-06-01 14:28:45 -04:00
|
|
|
class fifo_file { getattr read write append ioctl lock open };
|
|
|
|
|
class filesystem getattr;
|
|
|
|
|
class lnk_file { read open };
|
2024-09-18 14:04:18 +03:00
|
|
|
class netlink_audit_socket { create nlmsg_relay read write };
|
|
|
|
|
class netlink_netfilter_socket { create read write };
|
2019-04-17 16:07:25 -04:00
|
|
|
@begin_dpdk@
|
|
|
|
|
class netlink_rdma_socket { setopt bind create };
|
|
|
|
|
@end_dpdk@
|
2016-01-19 09:59:12 -08:00
|
|
|
class netlink_socket { setopt getopt create connect getattr write read };
|
2018-06-01 14:28:45 -04:00
|
|
|
class sock_file { write };
|
2019-01-07 15:48:19 -08:00
|
|
|
class system { module_load module_request };
|
2018-06-01 14:28:45 -04:00
|
|
|
class process { sigchld signull transition noatsecure siginh rlimitinh };
|
|
|
|
|
class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom ioctl };
|
2017-08-31 19:22:45 -04:00
|
|
|
|
|
|
|
|
@begin_dpdk@
|
2018-06-01 14:28:45 -04:00
|
|
|
class sock_file { read append getattr open };
|
2017-08-31 19:22:45 -04:00
|
|
|
class tun_socket { relabelfrom relabelto create };
|
|
|
|
|
@end_dpdk@
|
2016-01-19 09:59:12 -08:00
|
|
|
}
|
|
|
|
|
|
2018-06-01 14:28:45 -04:00
|
|
|
#============= Set up the transition domain =============
|
|
|
|
|
type openvswitch_load_module_exec_t;
|
|
|
|
|
type openvswitch_load_module_t;
|
|
|
|
|
|
|
|
|
|
domain_type(openvswitch_load_module_exec_t);
|
|
|
|
|
domain_type(openvswitch_load_module_t);
|
|
|
|
|
role object_r types openvswitch_load_module_exec_t;
|
|
|
|
|
role system_r types openvswitch_load_module_t;
|
|
|
|
|
domain_entry_file(openvswitch_load_module_t, openvswitch_load_module_exec_t);
|
|
|
|
|
domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load_module_t);
|
|
|
|
|
|
2016-01-19 09:59:12 -08:00
|
|
|
#============= openvswitch_t ==============
|
2018-06-01 14:28:46 -04:00
|
|
|
allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw };
|
2024-09-18 14:04:18 +03:00
|
|
|
allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay read write };
|
|
|
|
|
allow openvswitch_t self:netlink_netfilter_socket { create read write };
|
2019-04-17 16:07:25 -04:00
|
|
|
@begin_dpdk@
|
|
|
|
|
allow openvswitch_t self:netlink_rdma_socket { setopt bind create };
|
|
|
|
|
@end_dpdk@
|
2016-01-19 09:59:12 -08:00
|
|
|
allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read };
|
2017-08-31 19:22:45 -04:00
|
|
|
|
2016-07-22 14:10:51 -07:00
|
|
|
allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans };
|
|
|
|
|
allow openvswitch_t ifconfig_exec_t:file { read getattr open execute execute_no_trans };
|
2017-08-31 19:22:45 -04:00
|
|
|
|
2018-06-01 14:28:45 -04:00
|
|
|
allow openvswitch_t openvswitch_rw_t:dir { write remove_name add_name lock read getattr open search };
|
2017-08-31 19:22:45 -04:00
|
|
|
allow openvswitch_t openvswitch_rw_t:file { write getattr read open execute execute_no_trans create unlink };
|
2016-07-22 14:10:51 -07:00
|
|
|
allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans };
|
2017-08-31 19:22:45 -04:00
|
|
|
allow openvswitch_t openvswitch_tmp_t:unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom };
|
2018-07-18 10:53:03 -04:00
|
|
|
allow openvswitch_t openvswitch_var_run_t:dir { getattr read open search write remove_name add_name lock };
|
|
|
|
|
allow openvswitch_t openvswitch_var_run_t:file { map open read write getattr create unlink };
|
2017-08-31 19:22:45 -04:00
|
|
|
allow openvswitch_t tun_tap_device_t:chr_file { read write getattr open ioctl };
|
|
|
|
|
|
|
|
|
|
@begin_dpdk@
|
|
|
|
|
allow openvswitch_t hugetlbfs_t:dir { write remove_name add_name lock read };
|
2018-07-31 19:18:44 +02:00
|
|
|
allow openvswitch_t hugetlbfs_t:file { create unlink map };
|
2017-08-31 19:22:45 -04:00
|
|
|
allow openvswitch_t kernel_t:unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom };
|
|
|
|
|
allow openvswitch_t self:tun_socket { relabelfrom relabelto create };
|
|
|
|
|
allow openvswitch_t svirt_image_t:file { getattr read write };
|
2018-02-19 09:55:43 -05:00
|
|
|
allow openvswitch_t svirt_tmpfs_t:file { read write };
|
|
|
|
|
allow openvswitch_t svirt_tmpfs_t:sock_file { read write append getattr open };
|
|
|
|
|
allow openvswitch_t svirt_t:unix_stream_socket { connectto read write getattr sendto recvfrom setopt };
|
2017-08-31 19:22:45 -04:00
|
|
|
allow openvswitch_t vfio_device_t:chr_file { read write open ioctl getattr };
|
2018-07-18 10:53:03 -04:00
|
|
|
allow openvswitch_t zero_device_t:chr_file { read open getattr map };
|
2017-08-31 19:22:45 -04:00
|
|
|
@end_dpdk@
|
2018-06-01 14:28:45 -04:00
|
|
|
|
|
|
|
|
#============= Transition allows =============
|
|
|
|
|
type_transition openvswitch_t openvswitch_load_module_exec_t:process openvswitch_load_module_t;
|
|
|
|
|
allow openvswitch_t openvswitch_load_module_exec_t:file { execute read open getattr };
|
|
|
|
|
allow openvswitch_t openvswitch_load_module_t:process transition;
|
|
|
|
|
|
|
|
|
|
allow openvswitch_load_module_t bin_t:file { execute execute_no_trans map };
|
|
|
|
|
allow openvswitch_load_module_t init_t:unix_stream_socket { getattr ioctl read write };
|
|
|
|
|
allow openvswitch_load_module_t init_var_run_t:dir { getattr read open search };
|
|
|
|
|
allow openvswitch_load_module_t insmod_exec_t:file { execute execute_no_trans getattr map open read };
|
2019-01-07 15:48:19 -08:00
|
|
|
allow openvswitch_load_module_t kernel_t:system module_request;
|
2018-06-01 14:28:45 -04:00
|
|
|
allow openvswitch_load_module_t modules_conf_t:dir { getattr open read search };
|
|
|
|
|
allow openvswitch_load_module_t modules_conf_t:file { getattr open read };
|
2020-09-03 10:02:46 -07:00
|
|
|
allow openvswitch_load_module_t modules_dep_t:file { getattr map open read };
|
2018-06-01 14:28:45 -04:00
|
|
|
allow openvswitch_load_module_t modules_object_t:file { map getattr open read };
|
|
|
|
|
allow openvswitch_load_module_t modules_object_t:dir { getattr open read search };
|
|
|
|
|
allow openvswitch_load_module_t openvswitch_load_module_exec_t:file { entrypoint };
|
|
|
|
|
allow openvswitch_load_module_t passwd_file_t:file { getattr open read };
|
|
|
|
|
allow openvswitch_load_module_t plymouth_exec_t:file { getattr read open execute execute_no_trans map };
|
|
|
|
|
allow openvswitch_load_module_t proc_t:file { getattr open read };
|
|
|
|
|
allow openvswitch_load_module_t self:system module_load;
|
|
|
|
|
allow openvswitch_load_module_t self:process { siginh noatsecure rlimitinh siginh };
|
2019-01-07 15:48:19 -08:00
|
|
|
allow openvswitch_load_module_t shell_exec_t:file { map execute execute_no_trans read open getattr };
|
2018-06-01 14:28:45 -04:00
|
|
|
allow openvswitch_load_module_t sssd_public_t:dir { getattr open read search };
|
|
|
|
|
allow openvswitch_load_module_t sssd_public_t:file { getattr map open read };
|
|
|
|
|
allow openvswitch_load_module_t sssd_t:unix_stream_socket connectto;
|
|
|
|
|
allow openvswitch_load_module_t sssd_var_lib_t:dir { getattr open read search };
|
|
|
|
|
allow openvswitch_load_module_t sssd_var_lib_t:sock_file write;
|
|
|
|
|
allow openvswitch_load_module_t sysfs_t:dir { getattr open read search };
|
|
|
|
|
allow openvswitch_load_module_t sysfs_t:file { open read };
|
|
|
|
|
allow openvswitch_load_module_t sysfs_t:lnk_file { read open };
|
|
|
|
|
allow openvswitch_load_module_t systemd_unit_file_t:dir getattr;
|
|
|
|
|
|
|
|
|
|
# no need to grant search permissions for this - and no need to emit
|
|
|
|
|
# an error, either.
|
|
|
|
|
dontaudit openvswitch_load_module_t openvswitch_var_run_t:dir { search };
|
|
|
|
|
|
|
|
|
|
kernel_load_module(openvswitch_load_module_t);
|
