From c1de3dfe7accdfd77a263347d4df8ea1aede0146 Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Wed, 8 Nov 2017 13:39:20 -0800
Subject: [PATCH] Let ovsdb-server write below /etc/openvswitch

---
 rules/falco_rules.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 674b8a4b..bf1e0cff 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -575,6 +575,8 @@
 - macro: dmeventd_writing_lvm_archive
   condition: (proc.name=dmeventd and (fd.name startswith /etc/lvm/archive or
                                       fd.name startswith /etc/lvm/backup))
+- macro: ovsdb_writing_openvswitch
+  condition: (proc.name=ovsdb-server and fd.directory=/etc/openvswitch)
 
 ###############
 # General Rules
@@ -675,6 +677,7 @@
     and not pki_realm_writing_realms
     and not htpasswd_writing_passwd
     and not dmeventd_writing_lvm_archive
+    and not ovsdb_writing_openvswitch
 
 - rule: Write below etc
   desc: an attempt to write to any file below /etc, not in a pipe installer session