selinux: update for netlink socket types

These are used for interfacing with conntrack, as well as by some DPDK PMDs Signed-off-by: Aaron Conole <[email protected]> Acked-by: Ansis Atteka <[email protected]>
lut777 · Apr 21, 2019 · abf85df · abf85df
1 parent af741ca
commit abf85df
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in
@@ -49,6 +49,10 @@ require {
         class filesystem getattr;
         class lnk_file { read open };
         class netlink_audit_socket { create nlmsg_relay audit_write read write };
+        class netlink_netfilter_socket { create nlmsg_relay audit_write read write };
+@begin_dpdk@
+        class netlink_rdma_socket { setopt bind create };
+@end_dpdk@
         class netlink_socket { setopt getopt create connect getattr write read };
         class sock_file { write };
         class system { module_load module_request };
@@ -75,6 +79,10 @@ domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load
 #============= openvswitch_t ==============
 allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw };
 allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write };
+allow openvswitch_t self:netlink_netfilter_socket { create nlmsg_relay audit_write read write };
+@begin_dpdk@
+allow openvswitch_t self:netlink_rdma_socket { setopt bind create };
+@end_dpdk@
 allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read };
 
 allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans };