Since rdma-core version 25, ibv_get_device_list(3) first tries to get the device list via netlink and only if that fails it falls back to getting it from sysfs. Currently the policy denies getting it from netlink, generating some denials. Allow test_ibpkey_access_t the necessary permissions so it can do it the preferred way and doesn't generate audit AVC noise. Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> --- policy/test_ibpkey.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/policy/test_ibpkey.te b/policy/test_ibpkey.te index 2bfb701..b128f5e 100644 --- a/policy/test_ibpkey.te +++ b/policy/test_ibpkey.te @@ -14,6 +14,10 @@ typeattribute test_ibpkey_access_t ibpkeydomain; # even with strict resource limits. allow test_ibpkey_access_t self:capability ipc_lock; +# ibv_get_device_list(3) wants to list the devices via netlink by default +# (if denied it falls back to listing them via sysfs). +allow test_ibpkey_access_t self:netlink_rdma_socket create_socket_perms; + dev_rw_infiniband_dev(test_ibpkey_access_t) dev_rw_sysfs(test_ibpkey_access_t) -- 2.39.2
