From 79687d92fe652b4b7563c3d436753ab03c395f3f Mon Sep 17 00:00:00 2001 From: Christian Svensson Date: Mon, 6 Feb 2023 17:24:26 +0100 Subject: misc: define SElinux mapped file permissions SElinux added support for defining what files can be mmap()'d a while back. This change defines those files that VPP maps. This is needed for EL9 support Type: fix Signed-off-by: Christian Svensson Change-Id: Iedd26914e29347169c4cc138628df7823ddd5691 --- extras/selinux/vpp-custom.te | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) (limited to 'extras/selinux/vpp-custom.te') diff --git a/extras/selinux/vpp-custom.te b/extras/selinux/vpp-custom.te index 6f183f687ad..27abbf92f85 100644 --- a/extras/selinux/vpp-custom.te +++ b/extras/selinux/vpp-custom.te @@ -10,6 +10,8 @@ gen_require(` type svirt_t; type svirt_image_t; type systemd_sysctl_t; + type hugetlbfs_t; + type sysfs_t; class capability sys_admin; ') @@ -56,7 +58,7 @@ allow vpp_t self:netlink_socket { bind create setopt }; manage_dirs_pattern(vpp_t, vpp_lib_t, vpp_lib_t) manage_files_pattern(vpp_t, vpp_lib_t, vpp_lib_t) -allow vpp_t vpp_lib_t:file execute; +allow vpp_t vpp_lib_t:file { execute map }; files_var_lib_filetrans(vpp_t, vpp_lib_t, {file dir}) manage_dirs_pattern(vpp_t, vpp_log_t, vpp_log_t) @@ -77,6 +79,7 @@ files_tmp_filetrans(vpp_t, vpp_tmp_t, { dir sock_file file }) manage_dirs_pattern(vpp_t, vpp_tmpfs_t, vpp_tmpfs_t) manage_files_pattern(vpp_t, vpp_tmpfs_t, vpp_tmpfs_t) +allow vpp_t vpp_tmpfs_t:file map; fs_tmpfs_filetrans(vpp_t, vpp_tmpfs_t, { dir file }) read_files_pattern(vpp_t, vpp_config_rw_t, vpp_config_rw_t) @@ -141,4 +144,16 @@ allow vpp_t svirt_image_t:file { read write }; read_files_pattern(systemd_sysctl_t, vpp_config_rw_t, vpp_config_rw_t) +######################################## +# +# hugetlbfs +# + +allow vpp_t hugetlbfs_t:file map; + +######################################## +# +# dpdk +# +allow vpp_t sysfs_t:file map; -- cgit 1.2.3-korg