selinux: introduce domain transitioned kmod helper

apconole · Ansis Atteka · commit a0efb7c92d45 · 2018-06-17T19:32:27.000-07:00
This commit uses the previously defined selinux label to transition
from the openvswitch_t to openvswitch_load_module_t domain by
executing ovs-kmod-ctl that is labelled with
openvswitch_load_module_exec_t type.

Note that unless the selinux relabel operation is invoked, the script
will not be labelled.  This merely instructs the selinux tools that
ovs-kmod-ctl should have a label applied.

Acked-by: Ansis Atteka &lt;aatteka@ovn.org&gt;
Acked-by: Timothy Redaelli &lt;tredaelli@redhat.com&gt;
Signed-off-by: Aaron Conole &lt;aconole@redhat.com&gt;
diff --git a/selinux/.gitignore b/selinux/.gitignore
@@ -1 +1,5 @@
 openvswitch-custom.te
+openvswitch-custom.fc
+openvswitch-custom.pp
+openvswitch-custom.if
+tmp/
diff --git a/selinux/automake.mk b/selinux/automake.mk
@@ -6,11 +6,12 @@
 # without warranty of any kind.
 
 EXTRA_DIST += \
+        selinux/openvswitch-custom.fc.in \
         selinux/openvswitch-custom.te.in
 
 PHONY: selinux-policy
 
-selinux-policy: selinux/openvswitch-custom.te
+selinux-policy: selinux/openvswitch-custom.te selinux/openvswitch-custom.fc
 	$(MAKE) -C selinux/ -f /usr/share/selinux/devel/Makefile
 
 CLEANFILES += \
diff --git a/selinux/openvswitch-custom.fc.in b/selinux/openvswitch-custom.fc.in
@@ -0,0 +1 @@
+@pkgdatadir@/scripts/ovs-kmod-ctl -- gen_context(system_u:object_r:openvswitch_load_module_exec_t,s0)

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+@pkgdatadir@/scripts/ovs-kmod-ctl -- gen_context(system_u:object_r:openvswitch_load_module_exec_t,s0)`