From 14b3584c277e15d7b3c5ecd85bea65a3bceede59 Mon Sep 17 00:00:00 2001 From: Alfredo Moralejo Date: Jun 14 2022 11:19:38 +0000 Subject: Import openvswitch-selinux-extra-policy-1.0-29 from Fast Datapath --- diff --git a/SOURCES/0001-tracefs-allow-openvswitch_module_load-to-.patch b/SOURCES/0001-tracefs-allow-openvswitch_module_load-to-.patch new file mode 100644 index 0000000..b084fdc --- /dev/null +++ b/SOURCES/0001-tracefs-allow-openvswitch_module_load-to-.patch @@ -0,0 +1,29 @@ +From: Aaron Conole +Subject: [PATCH] tracefs: allow openvswitch_module_load to access tracefs_t + +For debugging. + +Signed-off-by: Aaron Conole +--- + +diff -upr a/openvswitch-custom.te b/openvswitch-custom.te +--- a/openvswitch-custom.te 2022-02-02 10:55:06.376845429 -0500 ++++ b/openvswitch-custom.te 2022-02-02 11:33:48.025800257 -0500 +@@ -38,6 +38,7 @@ require { + type sssd_var_lib_t; + type sysfs_t; + type systemd_unit_file_t; ++ type tracefs_t; + type tun_tap_device_t; + + type hugetlbfs_t; +@@ -163,6 +164,8 @@ allow openvswitch_load_module_t sysfs_t: + allow openvswitch_load_module_t sysfs_t:file { open read }; + allow openvswitch_load_module_t sysfs_t:lnk_file { read open }; + allow openvswitch_load_module_t systemd_unit_file_t:dir getattr; ++allow openvswitch_load_module_t tracefs_t:dir { search getattr open read }; ++allow openvswitch_load_module_t tracefs_t:file { map getattr open read }; + + # no need to grant search permissions for this - and no need to emit + # an error, either. +--- diff --git a/SPECS/openvswitch-selinux-extra-policy.spec b/SPECS/openvswitch-selinux-extra-policy.spec index 3ead200..dfa995d 100644 --- a/SPECS/openvswitch-selinux-extra-policy.spec +++ b/SPECS/openvswitch-selinux-extra-policy.spec @@ -22,7 +22,7 @@ Source0: http://aconole.bytheb.org/files/openvswitch-selinux-policy.tar.gz License: ASL 2.0 BuildArch: noarch -Release: 28%{?dist} +Release: 29%{?dist} BuildRequires: autoconf automake libtool BuildRequires: systemd-units openssl openssl-devel @@ -59,6 +59,7 @@ Patch101: 0001-netlink_rdma_socket-fix-permissions.patch Patch102: 0001-capability-dont-audit-sys_admin.patch Patch110: 0001-rhcos-spc-and-file-updates.patch Patch120: 0001-ipsec_conf.patch +Patch130: 0001-tracefs-allow-openvswitch_module_load-to-.patch %description Tailored Open vSwitch SELinux policy for distribution @@ -106,6 +107,9 @@ fi %attr(0644,root,root) %{_datadir}/selinux/packages/%{modulename}.pp %changelog +* Thu Feb 10 2022 Aaron Conole - 1.0-29 +- Allow ovs debug tracing points to load (#2026664) + * Wed Jan 27 2021 Aaron Conole - 1.0-28 - Revert perf_event workaround (#1906278)