diff options
author | Christian Svensson <blue@cmd.nu> | 2023-02-06 17:24:26 +0100 |
---|---|---|
committer | Damjan Marion <dmarion@0xa5.net> | 2023-03-06 14:22:36 +0000 |
commit | 79687d92fe652b4b7563c3d436753ab03c395f3f (patch) | |
tree | a62c46914f044b07f6f40fbb35f7c02dda365e10 | |
parent | 184a70a58c8e48f569e0faa88869f27844db39de (diff) |
misc: define SElinux mapped file permissions
SElinux added support for defining what files can be mmap()'d a while back.
This change defines those files that VPP maps.
This is needed for EL9 support
Type: fix
Signed-off-by: Christian Svensson <blue@cmd.nu>
Change-Id: Iedd26914e29347169c4cc138628df7823ddd5691
-rw-r--r-- | extras/selinux/vpp-custom.te | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/extras/selinux/vpp-custom.te b/extras/selinux/vpp-custom.te index 6f183f687ad..27abbf92f85 100644 --- a/extras/selinux/vpp-custom.te +++ b/extras/selinux/vpp-custom.te @@ -10,6 +10,8 @@ gen_require(` type svirt_t; type svirt_image_t; type systemd_sysctl_t; + type hugetlbfs_t; + type sysfs_t; class capability sys_admin; ') @@ -56,7 +58,7 @@ allow vpp_t self:netlink_socket { bind create setopt }; manage_dirs_pattern(vpp_t, vpp_lib_t, vpp_lib_t) manage_files_pattern(vpp_t, vpp_lib_t, vpp_lib_t) -allow vpp_t vpp_lib_t:file execute; +allow vpp_t vpp_lib_t:file { execute map }; files_var_lib_filetrans(vpp_t, vpp_lib_t, {file dir}) manage_dirs_pattern(vpp_t, vpp_log_t, vpp_log_t) @@ -77,6 +79,7 @@ files_tmp_filetrans(vpp_t, vpp_tmp_t, { dir sock_file file }) manage_dirs_pattern(vpp_t, vpp_tmpfs_t, vpp_tmpfs_t) manage_files_pattern(vpp_t, vpp_tmpfs_t, vpp_tmpfs_t) +allow vpp_t vpp_tmpfs_t:file map; fs_tmpfs_filetrans(vpp_t, vpp_tmpfs_t, { dir file }) read_files_pattern(vpp_t, vpp_config_rw_t, vpp_config_rw_t) @@ -141,4 +144,16 @@ allow vpp_t svirt_image_t:file { read write }; read_files_pattern(systemd_sysctl_t, vpp_config_rw_t, vpp_config_rw_t) +######################################## +# +# hugetlbfs +# + +allow vpp_t hugetlbfs_t:file map; + +######################################## +# +# dpdk +# +allow vpp_t sysfs_t:file map; |