misc: selinux fixes (packet_socket r/w)

Millnert · Millnert · commit 68849350c56b · 2020-09-11T01:25:08.000+02:00
vpp-20.05 on up-to-date Centos 7.8 host with enforcing SELinux fails to
create a host-interface due to two missing SELinux-permissions:

vpp_t self:packet_socket { read write }

This simple patch adds these two permissions. Tested successfully on
local installation.

The steps to reproduce:

$ ip link add vpeer-host type veth peer name vpeer-vpp
vpp# create host-interface name vpeer-vpp
create host-interface: Permission denied (errno 13)
[...]
$ semodule -i vpp-packet-socket.pp
vpp# create host-interface name vpeer-vpp
host-vpeer-vpp

Type: fix
Ticket: VPP-1931
Change-Id: I2b3d92b27b9a9f26aa1c85af2946b15e83e27944
Signed-off-by: Martin Millnert &lt;martin@millnert.se&gt;
diff --git a/extras/selinux/vpp-custom.te b/extras/selinux/vpp-custom.te
@@ -46,7 +46,7 @@ files_tmp_file(vpp_tmp_t)
 allow vpp_t self:capability { dac_override ipc_lock setgid sys_rawio net_raw sys_admin net_admin chown }; # too benevolent
 dontaudit vpp_t self:capability2 block_suspend;
 allow vpp_t self:process { execmem execstack setsched signal }; # too benevolent
-allow vpp_t self:packet_socket { bind create setopt ioctl map };
+allow vpp_t self:packet_socket { bind create setopt ioctl map read write };
 allow vpp_t self:tun_socket { create relabelto relabelfrom };
 allow vpp_t self:udp_socket { create ioctl };
 allow vpp_t self:unix_dgram_socket { connect create ioctl };
