Skip to content

Commit

Permalink
selinux: allow dpdkvhostuserclient sockets with newer libvirt
Browse files Browse the repository at this point in the history 
Newer libvirt and openstack versions will now label the unix socket as
an `svirt_tmpfs_t` object.  This means that in order to support
deploying with the recommended configuration (using a
dpdkvhostuserclient socket), additional permissions need to be
installed as part of the selinux policy.

An example of some of the AVC violations:

    type=AVC msg=audit(1518752799.102:978): avc:  denied  { write }
    for  pid=14368 comm="ovs-vswitchd" name="vhost0" dev="dm-0" ino=94
    scontext=system_u:system_r:openvswitch_t:s0
    tcontext=system_u:object_r:svirt_tmp_t:s0 tclass=sock_file

    type=AVC msg=audit(1518816172.126:1318): avc:  denied  { connectto }
    for  pid=32717 comm="ovs-vswitchd" path="/tmp/vhost0"
    scontext=system_u:system_r:openvswitch_t:s0
    tcontext=system_u:system_r:svirt_t:s0:c106,c530
    tclass=unix_stream_socket

Signed-off-by: Aaron Conole <[email protected]>
Acked-by: Ansis Atteka <[email protected]>
  • Loading branch information
@apconole
apconole authored and Ansis Atteka committed Feb 23, 2018
1 parent ee29e9f commit ee1c729
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions selinux/openvswitch-custom.te.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ require {
type hugetlbfs_t;
type kernel_t;
type svirt_image_t;
type svirt_tmpfs_t;
type vfio_device_t;
@end_dpdk@

Expand All @@ -26,6 +27,7 @@ require {
class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom };

@begin_dpdk@
class sock_file { read write append getattr open };
class tun_socket { relabelfrom relabelto create };
@end_dpdk@
}
Expand All @@ -50,5 +52,8 @@ allow openvswitch_t hugetlbfs_t:file { create unlink };
allow openvswitch_t kernel_t:unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom };
allow openvswitch_t self:tun_socket { relabelfrom relabelto create };
allow openvswitch_t svirt_image_t:file { getattr read write };
allow openvswitch_t svirt_tmpfs_t:file { read write };
allow openvswitch_t svirt_tmpfs_t:sock_file { read write append getattr open };
allow openvswitch_t svirt_t:unix_stream_socket { connectto read write getattr sendto recvfrom setopt };
allow openvswitch_t vfio_device_t:chr_file { read write open ioctl getattr };
@end_dpdk@

0 comments on commit ee1c729

Please sign in to comment.