ovs: allow reading svirt_tmp_t

Required by live migration Resolves: rhbz#1542107 Signed-off-by: Lon Hohberger <lhh@redhat.com>
redhat-openstack · Feb 7, 2018 · 4e6703e · 4e6703e
1 parent c6158ce
commit 4e6703e
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 0 deletions.
diff --git a/os-ovs.te b/os-ovs.te
@@ -17,6 +17,7 @@ gen_require(`
 	type init_tmp_t;
 	type tun_tap_device_t;
 	type svirt_t;
+	type svirt_tmpfs_t;
 	type virt_cache_t;
 	class dir search;
 	class file { write read getattr open };
@@ -109,3 +110,6 @@ corenet_tcp_connect_all_ports(openvswitch_t)
 # #1498797
 allow openvswitch_t self:capability { audit_write dac_override };
 allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay read write };
+
+# #1542107
+allow openvswitch_t svirt_tmpfs_t:file { read write };
diff --git a/tests/bz1542107 b/tests/bz1542107
@@ -0,0 +1 @@
+type=AVC msg=audit(1517841541.153:650): avc:  denied  { read write } for  pid=7168 comm="vhost_thread2" path=2F6D656D66643A76686F73742D6C6F67202864656C6574656429 dev="tmpfs" ino=324410 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:svirt_tmpfs_t:s0 tclass=file