From 1d5e18a157aebb965320338a1b98540713344d06 Mon Sep 17 00:00:00 2001
From: Richard Su <rwsu@redhat.com>
Date: Mon, 22 Dec 2014 16:14:06 -0800
Subject: [PATCH] Custom policy for openvswitch SELinux denials

Tripleo-ci has started to log denials about openvswitch and
sysctl interactions.

Change-Id: I9ef2162d60dd0ac8a062f11c817849a84ff84546
Partial-Bug: 1405021
---
 .../custom-policies/tripleo-selinux-openvswitch.te | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 elements/selinux/custom-policies/tripleo-selinux-openvswitch.te

diff --git a/elements/selinux/custom-policies/tripleo-selinux-openvswitch.te b/elements/selinux/custom-policies/tripleo-selinux-openvswitch.te
new file mode 100644
index 000000000..5da9acd6f
--- /dev/null
+++ b/elements/selinux/custom-policies/tripleo-selinux-openvswitch.te
@@ -0,0 +1,14 @@
+module tripleo-selinux-openvswitch 1.0;
+
+require {
+	type sysctl_net_t;
+	type openvswitch_t;
+	class dir search;
+	class file { read getattr open };
+}
+
+# https://bugs.launchpad.net/tripleo/+bug/1405021
+# https://bugzilla.redhat.com/show_bug.cgi?id=1176730
+#============= openvswitch_t ==============
+allow openvswitch_t sysctl_net_t:dir search;
+allow openvswitch_t sysctl_net_t:file { read getattr open };
\ No newline at end of file