selinux: Allow ovs-ctl force-reload-kmod.

[cascardo/ovs.git] / selinux / openvswitch-custom.te

diff --git a/selinux/openvswitch-custom.te b/selinux/openvswitch-custom.te
index fc32b97..47ddb56 100644 (file)
--- a/selinux/openvswitch-custom.te
+++ b/selinux/openvswitch-custom.te
@@ -1,9 +1,16 @@
-module openvswitch-custom 1.0;
+module openvswitch-custom 1.0.1;
 
 require {
         type openvswitch_t;
+        type openvswitch_tmp_t;
+        type ifconfig_exec_t;
+        type hostname_exec_t;
         class netlink_socket { setopt getopt create connect getattr write read };
+        class file { write getattr read open execute execute_no_trans };
 }
 
 #============= openvswitch_t ==============
 allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read };
+allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans };
+allow openvswitch_t ifconfig_exec_t:file { read getattr open execute execute_no_trans };
+allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans };