From patchwork Sun Oct 6 10:45:46 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roi Dayan X-Patchwork-Id: 1993262 X-Patchwork-Delegate: aconole@redhat.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=Nvidia.com header.i=@Nvidia.com header.a=rsa-sha256 header.s=selector2 header.b=bEHFArya; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.138; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XLzTv5fhzz1xtN for ; Sun, 6 Oct 2024 21:46:11 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id CEF8381053; Sun, 6 Oct 2024 10:46:08 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id o6LoZR1rQTTL; Sun, 6 Oct 2024 10:46:05 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 795E480EAC Authentication-Results: smtp1.osuosl.org; dkim=fail reason="signature verification failed" (2048-bit key, unprotected) header.d=Nvidia.com header.i=@Nvidia.com header.a=rsa-sha256 header.s=selector2 header.b=bEHFArya Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp1.osuosl.org (Postfix) with ESMTPS id 795E480EAC; Sun, 6 Oct 2024 10:46:05 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 5F5E5C08A6; Sun, 6 Oct 2024 10:46:05 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id C17C9C08A3 for ; Sun, 6 Oct 2024 10:46:03 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id A8AD440391 for ; Sun, 6 Oct 2024 10:46:03 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id aw9pkn2qYr6N for ; Sun, 6 Oct 2024 10:46:02 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2a01:111:f403:2417::630; helo=nam12-dm6-obe.outbound.protection.outlook.com; envelope-from=roid@nvidia.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp4.osuosl.org F1877401B0 Authentication-Results: smtp4.osuosl.org; dmarc=pass (p=reject dis=none) header.from=nvidia.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org F1877401B0 Authentication-Results: smtp4.osuosl.org; dkim=pass (2048-bit key, unprotected) header.d=Nvidia.com header.i=@Nvidia.com header.a=rsa-sha256 header.s=selector2 header.b=bEHFArya Received: from NAM12-DM6-obe.outbound.protection.outlook.com (mail-dm6nam12on20630.outbound.protection.outlook.com [IPv6:2a01:111:f403:2417::630]) by smtp4.osuosl.org (Postfix) with ESMTPS id F1877401B0 for ; Sun, 6 Oct 2024 10:46:01 +0000 (UTC) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=GJvsscbkdhmZt+Kh0Xcbn2boB4NlieE/o5weiEVq0+8GTSDMDlUNDQJ4al7dOu0O0OMJyUX7vTT/A48dCSUZA69BVRGF0ssLVrHsahwLKGduKzEwXIdxTmC7sbIi8DiBgVLjve+inxVTki0w6Rk+/mTdAgpXgNVTm4h7sceGVrZTiRYOUBao3wY6QT87IDHcpExyVtiFH5/ZtL/PE+DinNYjTCQJKccHfepcdqXC+mI4aLRn2qoMMrXKdSV8d2BQaPzIw8yo0mqYvztYf8OtoGJPMK5gLUM792g2i4GWKVRIry7FhSiQaVbMVSz0jAdvPXworyfHxcDtNZGSHZ6nmA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=B97j8LFpZB2RtQmfEqAmcGXRwVrzoX/i9a4C/mVTdww=; b=RXsiTdosWCvZNSR+GLK76EtxbIzQeaIMIG6kH2H59sQkh3KjEh9FvyUaMn4Z6PwmZOAiljZzE+qH10wI5HILncJBOjuGmxr/JgY9bixV8x9fi5VLJXRCF6TPy6vmdGF+dk7ILzQO8qkHH2/cRMKb2An+rNGI0JKhSEoAmMi0Jr+ErJBfw7TafzPV32MAMAsPymsA0xJNE3CXpXOl/5/mMTmcF6qz1y+IGqNzyCrQGIL29RbMKgBebGUbupQOv5lpTNFr5hxjwlT2xgg8DXLfr9Qz+PVGTPMCS7Rq4ISnYm2xBirUMy8NuwaKdC3lat13gImxBtm+uWWYq8jgdrRtlA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=openvswitch.org smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=B97j8LFpZB2RtQmfEqAmcGXRwVrzoX/i9a4C/mVTdww=; b=bEHFAryaHdF3TAC0psHxwKKvu5PP3GFoPDvcnW3WjMRm0NS7xxZfTvP45l5HZTSr19oC4ZixOJw8Ry1or0GtoUfdKqLOU4OXj6aa0t5BuXFiBETODsVcsz6RkI5cLH2l/mL955bYccPGSJfGltbGJYKTv91sdlwEuVRdMMPIa/ml0XiDfFxAW6MMj2bE6wTM0zTWm9hg28vHxj3+637OrrbFgoPY5Cz/I7xTPvei5HasOQRpavJRO95MxOtgCaWmgUP/TxdBRpM4wrLMQMFXXmZnozIVUBASrQh95tEBwWUuvVyS9oCCFHy7y5FM6UzAKkE+cqTnwOdgPXlgTNp4QQ== Received: from CH3P221CA0015.NAMP221.PROD.OUTLOOK.COM (2603:10b6:610:1e7::6) by SJ1PR12MB6146.namprd12.prod.outlook.com (2603:10b6:a03:45b::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8026.22; Sun, 6 Oct 2024 10:45:56 +0000 Received: from CH3PEPF00000017.namprd21.prod.outlook.com (2603:10b6:610:1e7:cafe::1b) by CH3P221CA0015.outlook.office365.com (2603:10b6:610:1e7::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8026.20 via Frontend Transport; Sun, 6 Oct 2024 10:45:55 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by CH3PEPF00000017.mail.protection.outlook.com (10.167.244.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8069.0 via Frontend Transport; Sun, 6 Oct 2024 10:45:54 +0000 Received: from rnnvmail203.nvidia.com (10.129.68.9) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.4; Sun, 6 Oct 2024 03:45:50 -0700 Received: from rnnvmail201.nvidia.com (10.129.68.8) by rnnvmail203.nvidia.com (10.129.68.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.4; Sun, 6 Oct 2024 03:45:49 -0700 Received: from mtr-vdi-198.wap.labs.mlnx (10.127.8.13) by mail.nvidia.com (10.129.68.8) with Microsoft SMTP Server id 15.2.1544.4 via Frontend Transport; Sun, 6 Oct 2024 03:45:48 -0700 To: Date: Sun, 6 Oct 2024 13:45:46 +0300 Message-ID: <20241006104546.1622992-1-roid@nvidia.com> X-Mailer: git-send-email 2.46.1 MIME-Version: 1.0 X-NV-OnPremToCloud: ExternallySecured X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH3PEPF00000017:EE_|SJ1PR12MB6146:EE_ X-MS-Office365-Filtering-Correlation-Id: 415f0801-aecc-47cf-ff4e-08dce5f40dfb X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; ARA:13230040|376014|1800799024|36860700013|82310400026; X-Microsoft-Antispam-Message-Info: 1nlYrcB1hhUK/4gg/vE+MVLMUSTAHGfcCbIqRws/lRbEBDo5/A+pwqnVn6cDzKUNRtcRHMl1XMxNvCcWPp0VIGBl3kc+FHqCIPYnlz1QmeH8AhX/LBB4rRMmI3Kvmgz00UOzqw4gMgOMA26yJU0J3An0SSA9HDAeT7S3ur5tcDreVZHytrkBhALFk2KhOArbBuhd+uVaxY1JRFrK03x0Af2za08kX8o2XHydlzRSUPLE5KI6ZznDb7Od1YprDLDtiW5Q9/I3YyKwZkUHtvRiFlnWJYPu7Ui0+5HGhEr/p44IhgzequB/SuswKR4PVVgKw2cX4AE1mUpEcQngs63Tr4nFsZ5MXn71PKcjYsxuVHGEgBKqUsU5cSN059FrQ/XSQP/gPU051veqrcCO5lcHv5ITn50y1OAY6J6HaAW3jsCkFdpn0paQ4CIjaN0BFAPN62ItIdWXSg6u2fOF2uLYePUJHwZSoPrsjG2qqCxA9U4ljHmn+R89u9bEFywJQzptG8ZueXNYksVx/Nc3qyaQ8PoSlDpwFcdDU51FCJ33iKkjt7I0gxec0ItZM6WFQYfgmXKgIY1ekBD2PhJJv8WURKMKms3uNhzo+Z7csFSsDCHrD0rEV0oFeF9zlfgHfOqv7Ce0QkhYl5aVkulifVT56tl9u/6KQLGC7NHnkXz9IgyoJT2TAUDUoht2TwVeV/0RJ+IXjdRrPoFlTHEMrRfYeuJ//0sd+XYwihzTvyBlbyB1nDY2EgOfsyfedliGmM2mdWq1RatPOzZNXW0obfvKxYzD+5oMhf4BZ8v7hFObjRukBwU31QYZk5zLJMQoSEStFlUthsVuk3tmfmqK0VqUWxzJoA3y0ktHhBn3c8p/Yf2TuLaDs8FQW3GPMq9YiZHn5R6IGd3w4+L6nN1qkLoAGMiPX54QhiRsCI2X35jeL3S9fdAnhVUkMcVzNrI84lRHqx6FJTfVeVGdy6kRV87bGnVccFsmsW4nvUQprFbhNRPmZuNmu5th1LPesDR7HahD9Qz7FrGBWrkIh1eOUen8q8WO2GQownQtgPoT8/p25N/ZR+GtgUOy4cpeEpzdSr0OeysfPvEmbqlXMFbPm/XeNaonhp5vYg9ej7WzWlVAp57yBfdvnSvO/lus8FwePNykZMLH8M92spksPtwJtVoaV/IvPPQwnhowU60m7mURgbCblCdAEwacFA1w8sEzgDq0jncL39VcbwBTxnvfpORqqbik6HcZVutUFjnuTrbqqJ5mmoG1DfszxQ8Pu2286wg30jGQ3viM2LEgM6l5NizT0X91beIg8Xqp6+Y9MzjjORttN8gk4lag4cUdtAgZlIFySJmF4QJENX949C1lnDxpbmdXrT76RMldl2kWY05BSog= X-Forefront-Antispam-Report: CIP:216.228.117.160; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:mail.nvidia.com; PTR:dc6edge1.nvidia.com; CAT:NONE; SFS:(13230040)(376014)(1800799024)(36860700013)(82310400026); DIR:OUT; SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Oct 2024 10:45:54.7448 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 415f0801-aecc-47cf-ff4e-08dce5f40dfb X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a; Ip=[216.228.117.160]; Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CH3PEPF00000017.namprd21.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ1PR12MB6146 Subject: [ovs-dev] [PATCH 1/1] selinux: Add missing permissions for netlink_rdma_socket. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Roi Dayan via dev From: Roi Dayan Reply-To: Roi Dayan Cc: Maor Dickman Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" After testing with DPDK found netlink_rdma_socket missing permissions 'getattr' and 'getopt' in the audit logs. Signed-off-by: Roi Dayan --- selinux/openvswitch-custom.te.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in index fe2c5bb61a57..776b3946d6ab 100644 --- a/selinux/openvswitch-custom.te.in +++ b/selinux/openvswitch-custom.te.in @@ -52,7 +52,7 @@ require { class netlink_audit_socket { create nlmsg_relay read write }; class netlink_netfilter_socket { create read write }; @begin_dpdk@ - class netlink_rdma_socket { setopt bind create }; + class netlink_rdma_socket { setopt getattr getopt bind create }; @end_dpdk@ class netlink_socket { setopt getopt create connect getattr write read }; class sock_file { write }; @@ -82,7 +82,7 @@ allow openvswitch_t self:capability { dac_override audit_write net_broadcast net allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay read write }; allow openvswitch_t self:netlink_netfilter_socket { create read write }; @begin_dpdk@ -allow openvswitch_t self:netlink_rdma_socket { setopt bind create }; +allow openvswitch_t self:netlink_rdma_socket { setopt getattr getopt bind create }; @end_dpdk@ allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read };