Message ID | 20241006104546.1622992-1-roid@nvidia.com |
---|---|
State | Accepted |
Commit | 58c66c19006622bcb1f06685966e6ab67883e6df |
Delegated to: | aaron conole |
Headers | show |
Series | [ovs-dev,1/1] selinux: Add missing permissions for netlink_rdma_socket. | expand |
Context | Check | Description |
---|---|---|
ovsrobot/apply-robot | success | apply and check: success |
ovsrobot/github-robot-_Build_and_Test | fail | github build: failed |
ovsrobot/github-robot-_Build_and_Test | success | github build: passed |
On 06/10/2024 13:45, Roi Dayan wrote: > After testing with DPDK found netlink_rdma_socket missing > permissions 'getattr' and 'getopt' in the audit logs. > > Signed-off-by: Roi Dayan <roid@nvidia.com> > --- > selinux/openvswitch-custom.te.in | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in > index fe2c5bb61a57..776b3946d6ab 100644 > --- a/selinux/openvswitch-custom.te.in > +++ b/selinux/openvswitch-custom.te.in > @@ -52,7 +52,7 @@ require { > class netlink_audit_socket { create nlmsg_relay read write }; > class netlink_netfilter_socket { create read write }; > @begin_dpdk@ > - class netlink_rdma_socket { setopt bind create }; > + class netlink_rdma_socket { setopt getattr getopt bind create }; > @end_dpdk@ > class netlink_socket { setopt getopt create connect getattr write read }; > class sock_file { write }; > @@ -82,7 +82,7 @@ allow openvswitch_t self:capability { dac_override audit_write net_broadcast net > allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay read write }; > allow openvswitch_t self:netlink_netfilter_socket { create read write }; > @begin_dpdk@ > -allow openvswitch_t self:netlink_rdma_socket { setopt bind create }; > +allow openvswitch_t self:netlink_rdma_socket { setopt getattr getopt bind create }; > @end_dpdk@ > allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read }; > the robot failed but doesn't seem related to the patch. it failed on check-offloads test check_pkt_len @@ -1,3 +1,3 @@ in_port(2),eth(),eth_type(0x0800),ipv4(frag=no), packets:19, bytes:11614, used:0.001s, actions:check_pkt_len(size=200,gt(3),le(3)) -in_port(3),eth(),eth_type(0x0800),ipv4(frag=no), packets:19, bytes:11614, used:0.001s, actions:output +in_port(3),eth(),eth_type(0x0800),ipv4(frag=no), packets:18, bytes:11256, used:0.001s, actions:output
On 6 Oct 2024, at 13:49, Roi Dayan via dev wrote: > On 06/10/2024 13:45, Roi Dayan wrote: >> After testing with DPDK found netlink_rdma_socket missing >> permissions 'getattr' and 'getopt' in the audit logs. >> >> Signed-off-by: Roi Dayan <roid@nvidia.com> >> --- >> selinux/openvswitch-custom.te.in | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in >> index fe2c5bb61a57..776b3946d6ab 100644 >> --- a/selinux/openvswitch-custom.te.in >> +++ b/selinux/openvswitch-custom.te.in >> @@ -52,7 +52,7 @@ require { >> class netlink_audit_socket { create nlmsg_relay read write }; >> class netlink_netfilter_socket { create read write }; >> @begin_dpdk@ >> - class netlink_rdma_socket { setopt bind create }; >> + class netlink_rdma_socket { setopt getattr getopt bind create }; >> @end_dpdk@ >> class netlink_socket { setopt getopt create connect getattr write read }; >> class sock_file { write }; >> @@ -82,7 +82,7 @@ allow openvswitch_t self:capability { dac_override audit_write net_broadcast net >> allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay read write }; >> allow openvswitch_t self:netlink_netfilter_socket { create read write }; >> @begin_dpdk@ >> -allow openvswitch_t self:netlink_rdma_socket { setopt bind create }; >> +allow openvswitch_t self:netlink_rdma_socket { setopt getattr getopt bind create }; >> @end_dpdk@ >> allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read }; >> > > > the robot failed but doesn't seem related to the patch. > it failed on check-offloads test check_pkt_len > > @@ -1,3 +1,3 @@ > in_port(2),eth(),eth_type(0x0800),ipv4(frag=no), packets:19, bytes:11614, used:0.001s, actions:check_pkt_len(size=200,gt(3),le(3)) > -in_port(3),eth(),eth_type(0x0800),ipv4(frag=no), packets:19, bytes:11614, used:0.001s, actions:output > +in_port(3),eth(),eth_type(0x0800),ipv4(frag=no), packets:18, bytes:11256, used:0.001s, actions:output You can ask the robot to re-run the test by sending a message that includes: Recheck-request: github-robot (this should do it ;) //Eelco
On 07/10/2024 9:53, Eelco Chaudron wrote: > > > On 6 Oct 2024, at 13:49, Roi Dayan via dev wrote: > >> On 06/10/2024 13:45, Roi Dayan wrote: >>> After testing with DPDK found netlink_rdma_socket missing >>> permissions 'getattr' and 'getopt' in the audit logs. >>> >>> Signed-off-by: Roi Dayan <roid@nvidia.com> >>> --- >>> selinux/openvswitch-custom.te.in | 4 ++-- >>> 1 file changed, 2 insertions(+), 2 deletions(-) >>> >>> diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in >>> index fe2c5bb61a57..776b3946d6ab 100644 >>> --- a/selinux/openvswitch-custom.te.in >>> +++ b/selinux/openvswitch-custom.te.in >>> @@ -52,7 +52,7 @@ require { >>> class netlink_audit_socket { create nlmsg_relay read write }; >>> class netlink_netfilter_socket { create read write }; >>> @begin_dpdk@ >>> - class netlink_rdma_socket { setopt bind create }; >>> + class netlink_rdma_socket { setopt getattr getopt bind create }; >>> @end_dpdk@ >>> class netlink_socket { setopt getopt create connect getattr write read }; >>> class sock_file { write }; >>> @@ -82,7 +82,7 @@ allow openvswitch_t self:capability { dac_override audit_write net_broadcast net >>> allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay read write }; >>> allow openvswitch_t self:netlink_netfilter_socket { create read write }; >>> @begin_dpdk@ >>> -allow openvswitch_t self:netlink_rdma_socket { setopt bind create }; >>> +allow openvswitch_t self:netlink_rdma_socket { setopt getattr getopt bind create }; >>> @end_dpdk@ >>> allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read }; >>> >> >> >> the robot failed but doesn't seem related to the patch. >> it failed on check-offloads test check_pkt_len >> >> @@ -1,3 +1,3 @@ >> in_port(2),eth(),eth_type(0x0800),ipv4(frag=no), packets:19, bytes:11614, used:0.001s, actions:check_pkt_len(size=200,gt(3),le(3)) >> -in_port(3),eth(),eth_type(0x0800),ipv4(frag=no), packets:19, bytes:11614, used:0.001s, actions:output >> +in_port(3),eth(),eth_type(0x0800),ipv4(frag=no), packets:18, bytes:11256, used:0.001s, actions:output > > You can ask the robot to re-run the test by sending a message that includes: > > Recheck-request: github-robot > > (this should do it ;) > > //Eelco > great. thanks. it passed now :)
Roi Dayan via dev <ovs-dev@openvswitch.org> writes: > After testing with DPDK found netlink_rdma_socket missing > permissions 'getattr' and 'getopt' in the audit logs. > > Signed-off-by: Roi Dayan <roid@nvidia.com> > --- Thanks for the patch - applied.
diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in index fe2c5bb61a57..776b3946d6ab 100644 --- a/selinux/openvswitch-custom.te.in +++ b/selinux/openvswitch-custom.te.in @@ -52,7 +52,7 @@ require { class netlink_audit_socket { create nlmsg_relay read write }; class netlink_netfilter_socket { create read write }; @begin_dpdk@ - class netlink_rdma_socket { setopt bind create }; + class netlink_rdma_socket { setopt getattr getopt bind create }; @end_dpdk@ class netlink_socket { setopt getopt create connect getattr write read }; class sock_file { write }; @@ -82,7 +82,7 @@ allow openvswitch_t self:capability { dac_override audit_write net_broadcast net allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay read write }; allow openvswitch_t self:netlink_netfilter_socket { create read write }; @begin_dpdk@ -allow openvswitch_t self:netlink_rdma_socket { setopt bind create }; +allow openvswitch_t self:netlink_rdma_socket { setopt getattr getopt bind create }; @end_dpdk@ allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read };
After testing with DPDK found netlink_rdma_socket missing permissions 'getattr' and 'getopt' in the audit logs. Signed-off-by: Roi Dayan <roid@nvidia.com> --- selinux/openvswitch-custom.te.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)