selinux: introduce domain transitioned kmod helper

This commit uses the previously defined selinux label to transition from the openvswitch_t to openvswitch_load_module_t domain by executing ovs-kmod-ctl that is labelled with openvswitch_load_module_exec_t type. Note that unless the selinux relabel operation is invoked, the script will not be labelled. This merely instructs the selinux tools that ovs-kmod-ctl should have a label applied. Acked-by: Ansis Atteka <aatteka@ovn.org> Acked-by: Timothy Redaelli <tredaelli@redhat.com> Signed-off-by: Aaron Conole <aconole@redhat.com>
2025-08-31 06:15:47 +00:00 · 2018-06-01 14:28:48 -04:00
parent 341a373d0a
commit a0efb7c92d
3 changed files with 7 additions and 1 deletions
--- a/selinux/.gitignore
+++ b/selinux/.gitignore
@@ -1 +1,5 @@
 openvswitch-custom.te
+openvswitch-custom.fc
+openvswitch-custom.pp
+openvswitch-custom.if
+tmp/
--- a/selinux/automake.mk
+++ b/selinux/automake.mk
@@ -6,11 +6,12 @@
 # without warranty of any kind.

 EXTRA_DIST += \
+        selinux/openvswitch-custom.fc.in \
        selinux/openvswitch-custom.te.in

 PHONY: selinux-policy

-selinux-policy: selinux/openvswitch-custom.te
+selinux-policy: selinux/openvswitch-custom.te selinux/openvswitch-custom.fc
 	$(MAKE) -C selinux/ -f /usr/share/selinux/devel/Makefile

 CLEANFILES += \
--- a/selinux/openvswitch-custom.fc.in
+++ b/selinux/openvswitch-custom.fc.in
@@ -0,0 +1 @@
+@pkgdatadir@/scripts/ovs-kmod-ctl -- gen_context(system_u:object_r:openvswitch_load_module_exec_t,s0)
				`@@ -0,0 +1 @@`
				`@pkgdatadir@/scripts/ovs-kmod-ctl -- gen_context(system_u:object_r:openvswitch_load_module_exec_t,s0)`