misc: selinux fixes (packet_socket r/w)

vpp-20.05 on up-to-date Centos 7.8 host with enforcing SELinux fails to create a host-interface due to two missing SELinux-permissions: vpp_t self:packet_socket { read write } This simple patch adds these two permissions. Tested successfully on local installation. The steps to reproduce: $ ip link add vpeer-host type veth peer name vpeer-vpp vpp# create host-interface name vpeer-vpp create host-interface: Permission denied (errno 13) [...] $ semodule -i vpp-packet-socket.pp vpp# create host-interface name vpeer-vpp host-vpeer-vpp Type: fix Ticket: VPP-1931 Change-Id: I2b3d92b27b9a9f26aa1c85af2946b15e83e27944 Signed-off-by: Martin Millnert <martin@millnert.se> (cherry picked from commit 68849350c5)
2020-09-11 01:02:26 +02:00
parent 6f1a86f187
commit cb94290d5f
1 changed files with 1 additions and 1 deletions
--- a/extras/selinux/vpp-custom.te
+++ b/extras/selinux/vpp-custom.te
@@ -46,7 +46,7 @@ files_tmp_file(vpp_tmp_t)
 allow vpp_t self:capability { dac_override ipc_lock setgid sys_rawio net_raw sys_admin net_admin chown }; # too benevolent
 dontaudit vpp_t self:capability2 block_suspend;
 allow vpp_t self:process { execmem execstack setsched signal }; # too benevolent
-allow vpp_t self:packet_socket { bind create setopt ioctl map };
+allow vpp_t self:packet_socket { bind create setopt ioctl map read write };
 allow vpp_t self:tun_socket { create relabelto relabelfrom };
 allow vpp_t self:udp_socket { create ioctl };
 allow vpp_t self:unix_dgram_socket { connect create ioctl };