From 5f5c3d92295ee82ad59f0ba5ccba67baa9349426 Mon Sep 17 00:00:00 2001
From: Roi Dayan <roid@nvidia.com>
Date: Wed, 18 Sep 2024 14:04:18 +0300
Subject: [PATCH] selinux: Update policy file.

Failing to install the selinux policy file under RHEL9.1 with
error "Failed to resolve permission audit_write".
Checking online SELinux permissions, I found that those classes
don't support those permissions. So not sure how it's passing on
other distributions like RHEL8.2, maybe being ignored.
With this change I can install the policy file in RHEL8.2 and RHEL9.1.

Fixes: 84d272330506 ("selinux: update policy to reflect non-root and dpdk support")
Signed-off-by: Roi Dayan <roid@nvidia.com>
Signed-off-by: Aaron Conole <aconole@redhat.com>
(cherry picked from commit 2c7e2d58c30361de56dcae81cb31e399db1ad73c)
---
 selinux/openvswitch-custom.te.in | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in
index beb0ab0d661..fe2c5bb61a5 100644
--- a/selinux/openvswitch-custom.te.in
+++ b/selinux/openvswitch-custom.te.in
@@ -49,8 +49,8 @@ require {
         class fifo_file { getattr read write append ioctl lock open };
         class filesystem getattr;
         class lnk_file { read open };
-        class netlink_audit_socket { create nlmsg_relay audit_write read write };
-        class netlink_netfilter_socket { create nlmsg_relay audit_write read write };
+        class netlink_audit_socket { create nlmsg_relay read write };
+        class netlink_netfilter_socket { create read write };
 @begin_dpdk@
         class netlink_rdma_socket { setopt bind create };
 @end_dpdk@
@@ -79,8 +79,8 @@ domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load
 
 #============= openvswitch_t ==============
 allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw };
-allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write };
-allow openvswitch_t self:netlink_netfilter_socket { create nlmsg_relay audit_write read write };
+allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay read write };
+allow openvswitch_t self:netlink_netfilter_socket { create read write };
 @begin_dpdk@
 allow openvswitch_t self:netlink_rdma_socket { setopt bind create };
 @end_dpdk@