diff options
author | Martin Millnert <martin@millnert.se> | 2020-09-11 01:02:26 +0200 |
---|---|---|
committer | Martin Millnert <martin@millnert.se> | 2020-09-11 01:25:08 +0200 |
commit | 68849350c56b0258d21fc906b09df71a1951f694 (patch) | |
tree | 5b1df8819bc6853fed82b78cf02b934822d1925a /extras/selinux/vpp-custom.te | |
parent | 5f473c0efc9e0ff068273520b058b8ac498dc597 (diff) |
misc: selinux fixes (packet_socket r/w)
vpp-20.05 on up-to-date Centos 7.8 host with enforcing SELinux fails to
create a host-interface due to two missing SELinux-permissions:
vpp_t self:packet_socket { read write }
This simple patch adds these two permissions. Tested successfully on
local installation.
The steps to reproduce:
$ ip link add vpeer-host type veth peer name vpeer-vpp
vpp# create host-interface name vpeer-vpp
create host-interface: Permission denied (errno 13)
[...]
$ semodule -i vpp-packet-socket.pp
vpp# create host-interface name vpeer-vpp
host-vpeer-vpp
Type: fix
Ticket: VPP-1931
Change-Id: I2b3d92b27b9a9f26aa1c85af2946b15e83e27944
Signed-off-by: Martin Millnert <martin@millnert.se>
Diffstat (limited to 'extras/selinux/vpp-custom.te')
-rw-r--r-- | extras/selinux/vpp-custom.te | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/extras/selinux/vpp-custom.te b/extras/selinux/vpp-custom.te index 7cc2d55412a..6f183f687ad 100644 --- a/extras/selinux/vpp-custom.te +++ b/extras/selinux/vpp-custom.te @@ -46,7 +46,7 @@ files_tmp_file(vpp_tmp_t) allow vpp_t self:capability { dac_override ipc_lock setgid sys_rawio net_raw sys_admin net_admin chown }; # too benevolent dontaudit vpp_t self:capability2 block_suspend; allow vpp_t self:process { execmem execstack setsched signal }; # too benevolent -allow vpp_t self:packet_socket { bind create setopt ioctl map }; +allow vpp_t self:packet_socket { bind create setopt ioctl map read write }; allow vpp_t self:tun_socket { create relabelto relabelfrom }; allow vpp_t self:udp_socket { create ioctl }; allow vpp_t self:unix_dgram_socket { connect create ioctl }; |