From 58c66c19006622bcb1f06685966e6ab67883e6df Mon Sep 17 00:00:00 2001
From: Roi Dayan <roid@nvidia.com>
Date: Sun, 6 Oct 2024 13:45:46 +0300
Subject: [PATCH] selinux: Add missing permissions for netlink_rdma_socket.

After testing with DPDK found netlink_rdma_socket missing
permissions 'getattr' and 'getopt' in the audit logs.

Signed-off-by: Roi Dayan <roid@nvidia.com>
Signed-off-by: Aaron Conole <aconole@redhat.com>
---
 selinux/openvswitch-custom.te.in | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in
index fe2c5bb61..776b3946d 100644
--- a/selinux/openvswitch-custom.te.in
+++ b/selinux/openvswitch-custom.te.in
@@ -52,7 +52,7 @@ require {
         class netlink_audit_socket { create nlmsg_relay read write };
         class netlink_netfilter_socket { create read write };
 @begin_dpdk@
-        class netlink_rdma_socket { setopt bind create };
+        class netlink_rdma_socket { setopt getattr getopt bind create };
 @end_dpdk@
         class netlink_socket { setopt getopt create connect getattr write read };
         class sock_file { write };
@@ -82,7 +82,7 @@ allow openvswitch_t self:capability { dac_override audit_write net_broadcast net
 allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay read write };
 allow openvswitch_t self:netlink_netfilter_socket { create read write };
 @begin_dpdk@
-allow openvswitch_t self:netlink_rdma_socket { setopt bind create };
+allow openvswitch_t self:netlink_rdma_socket { setopt getattr getopt bind create };
 @end_dpdk@
 allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read };