selinux: Allow ovs-ctl force-reload-kmod.

When invoking ovs-ctl force-reload-kmod via '/etc/init.d/openvswitch force-reload-kmod', spurious errors would output related to 'hostname' and 'ip', and the system's selinux audit log would complain about some of the invocations such as those listed at the end of this commit message. This patch loosens restrictions for openvswitch_t (used for ovs-ctl, as well as all of the OVS daemons) to allow it to execute 'hostname' and 'ip' commands, and also to execute temporary files created as openvswitch_tmp_t. This allows force-reload-kmod to run correctly. Example audit logs: type=AVC msg=audit(1468515192.912:16720): avc: denied { getattr } for pid=11687 comm="ovs-ctl" path="/usr/bin/hostname" dev="dm-1" ino=33557805 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file type=AVC msg=audit(1468519445.766:16829): avc: denied { getattr } for pid=13920 comm="ovs-save" path="/usr/sbin/ip" dev="dm-1" ino=67572988 scontext=unconfined_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file type=AVC msg=audit(1468519445.890:16833): avc: denied { execute } for pid=13849 comm="ovs-ctl" name="tmp.jdEGHntG3Z" dev="dm-1" ino=106876762 scontext=unconfined_u:system_r:openvswitch_t:s0 tcontext=unconfined_u:object_r:openvswitch_tmp_t:s0 tclass=file VMware-BZ: #1692972 Signed-off-by: Joe Stringer <[email protected]> Acked-by: Flavio Leitner <[email protected]>
nicboul · Jul 26, 2016 · 5e2e3ad · 5e2e3ad
1 parent 30b7936
commit 5e2e3ad
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/selinux/openvswitch-custom.te b/selinux/openvswitch-custom.te
@@ -1,9 +1,16 @@
-module openvswitch-custom 1.0;
+module openvswitch-custom 1.0.1;
 
 require {
         type openvswitch_t;
+        type openvswitch_tmp_t;
+        type ifconfig_exec_t;
+        type hostname_exec_t;
         class netlink_socket { setopt getopt create connect getattr write read };
+        class file { write getattr read open execute execute_no_trans };
 }
 
 #============= openvswitch_t ==============
 allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read };
+allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans };
+allow openvswitch_t ifconfig_exec_t:file { read getattr open execute execute_no_trans };
+allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans };