X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=extras%2Fselinux%2Fvpp-custom.te;h=27abbf92f854f0b4678976a9bff56ceced17735d;hb=4141ded3ec876313a5c7f74a93dec3e18940180a;hp=7cc2d55412a7d4dd699ec9c04ebbd869a02ca27a;hpb=41deceaf25bc2360a9ee6571b5485b8a4a1cbd5b;p=vpp.git

diff --git a/extras/selinux/vpp-custom.te b/extras/selinux/vpp-custom.te
index 7cc2d55412a..27abbf92f85 100644
--- a/extras/selinux/vpp-custom.te
+++ b/extras/selinux/vpp-custom.te
@@ -10,6 +10,8 @@ gen_require(`
     type svirt_t;
     type svirt_image_t;
     type systemd_sysctl_t;
+    type hugetlbfs_t;
+    type sysfs_t;
     class capability sys_admin;
 ')
 
@@ -46,7 +48,7 @@ files_tmp_file(vpp_tmp_t)
 allow vpp_t self:capability { dac_override ipc_lock setgid sys_rawio net_raw sys_admin net_admin chown }; # too benevolent
 dontaudit vpp_t self:capability2 block_suspend;
 allow vpp_t self:process { execmem execstack setsched signal }; # too benevolent
-allow vpp_t self:packet_socket { bind create setopt ioctl map };
+allow vpp_t self:packet_socket { bind create setopt ioctl map read write };
 allow vpp_t self:tun_socket { create relabelto relabelfrom };
 allow vpp_t self:udp_socket { create ioctl };
 allow vpp_t self:unix_dgram_socket { connect create ioctl };
@@ -56,7 +58,7 @@ allow vpp_t self:netlink_socket { bind create setopt };
 
 manage_dirs_pattern(vpp_t, vpp_lib_t, vpp_lib_t)
 manage_files_pattern(vpp_t, vpp_lib_t, vpp_lib_t)
-allow vpp_t vpp_lib_t:file execute;
+allow vpp_t vpp_lib_t:file { execute map };
 files_var_lib_filetrans(vpp_t, vpp_lib_t, {file dir})
 
 manage_dirs_pattern(vpp_t, vpp_log_t, vpp_log_t)
@@ -77,6 +79,7 @@ files_tmp_filetrans(vpp_t, vpp_tmp_t, { dir sock_file file })
 
 manage_dirs_pattern(vpp_t, vpp_tmpfs_t, vpp_tmpfs_t)
 manage_files_pattern(vpp_t, vpp_tmpfs_t, vpp_tmpfs_t)
+allow vpp_t vpp_tmpfs_t:file map;
 fs_tmpfs_filetrans(vpp_t, vpp_tmpfs_t, { dir file })
 
 read_files_pattern(vpp_t, vpp_config_rw_t, vpp_config_rw_t)
@@ -141,4 +144,16 @@ allow vpp_t svirt_image_t:file { read write };
 
 read_files_pattern(systemd_sysctl_t, vpp_config_rw_t, vpp_config_rw_t)
 
+########################################
+#
+# hugetlbfs
+#
+
+allow vpp_t hugetlbfs_t:file map;
+
+########################################
+#
+# dpdk
+#
 
+allow vpp_t sysfs_t:file map;