[ovs-dev] [PATCHv2 branch2-4] rhel: provide our own SELinux custom policy package

Ansis Atteka ansisatteka at gmail.com
Thu Jan 21 01:44:40 UTC 2016 

On 20 January 2016 at 16:13, Ansis Atteka <ansisatteka at gmail.com> wrote:

>
>
> On 20 January 2016 at 15:36, Ben Pfaff <blp at ovn.org> wrote:
>
>> On Wed, Jan 20, 2016 at 03:34:49PM -0800, Ben Pfaff wrote:
>> > On Wed, Jan 20, 2016 at 02:59:03PM -0800, Ansis Atteka wrote:
>> > > CentOS, RHEL and Fedora distributions ship with their own Open vSwitch
>> > > SELinux policy that is too strict and prevents Open vSwitch to work
>> > > normally out of the box.
>> > >
>> > > As a solution, this patch introduces a new package which will "loosen"
>> > > up "openvswitch_t" SELinux domain so that Open vSwitch could operate
>> > > normally.
>> >
>> > I could not get this to apply.
>>
>> Oh, I guess that's because it's for branch-2.4.  Just for branch-2.4?
>> We aren't going to get it on master first and backport it?  That's
>> unusual...
>>
>
> It was developed against branch-2.4, because
> 1. OVS does not work on default Fedora23 installation (ie. SELinux denies
> access to NetLink sockets). This means that backporting to older branches
> needs to be done anyway.
> 2. I chose version 2.4. (opposed to any other OVS version) because this
> needs to be done in tandem with outstanding --user patches targeted for OVS
> 2.5. I just wanted to test upgrade path from OVS 2.4 to OVS 2.5+(--user).
>
>
> I created a new spec file because I imagined that this SELinux policy
> package could be used on both Fedora and RHEL.
>


Also, here are two things I would like to point about the patch:

1. It loosens up the SELinux policy that comes with Linux distribution;
opposed to unloading it and loading completely different SELinux policy. I
don't see any reason why this can't be done, but I could not find a
precedent.
2. If we want to have a single rpm package for Fedora, RHEL and CentOS,
then SELinux openvswitch-custom.te file needs to be targeted for the lowest
SELinux version. For example SElinux on Fedora has several extra classes
that we can't use (obtained from "seinfo" utility):

+   binder
+   netlink_connector_socket
+   netlink_netfilter_socket
+   netlink_iscsi_socket
+   netlink_rdma_socket
+   netlink_generic_socket
+   netlink_scsitransport_socket
+   netlink_crypto_socket
+   netlink_fib_lookup_socket

More information about the dev mailing list