[ovs-dev] [PATCHv2 branch2-4] rhel: provide our own SELinux custom policy package

Russell Bryant russell at ovn.org
Wed Jan 27 23:22:42 UTC 2016


On Wednesday, January 27, 2016, Flavio Leitner <fbl at sysclose.org> wrote:

> On Thu, 21 Jan 2016 17:09:42 -0500
> Russell Bryant <russell at ovn.org <javascript:;>> wrote:
>
> > On 01/20/2016 05:59 PM, Ansis Atteka wrote:
> > > CentOS, RHEL and Fedora distributions ship with their own Open
> > > vSwitch SELinux policy that is too strict and prevents Open vSwitch
> > > to work normally out of the box.
> > >
> > > As a solution, this patch introduces a new package which will
> > > "loosen" up "openvswitch_t" SELinux domain so that Open vSwitch
> > > could operate normally.
> > >
> > > Intended use-cases of this package are:
> > > 1. to allow users to install newer Open vSwitch on already released
> > > Fedora, RHEL and CentOS distributions where the default Open
> > > vSwitch SELinux policy that shipped with the corresponding Linux
> > > distribution is not up to date and did not anticipate that a newer
> > > Open vSwitch version might need to invoke new system calls or need
> > > to access certain system resources that it did not before; And
> > > 2. to provide alternative means through which Open vSwitch
> > > developers can proactively fix SELinux related policy issues
> > > without waiting for corresponding Linux distribution maintainers to
> > > update their central Open vSwitch SELinux policy.
> > >
> > > This patch was tested on Fedora 23 and CentOS 7. I verified that now
> > > on Fedora 23 Open vSwitch can create a NetLink socket; and that I
> > > did not see following error messages:
> > >
> > > vlog|INFO|opened log file /var/log/openvswitch/ovs-vswitchd.log
> > > ovs_numa|INFO|Discovered 2 CPU cores on NUMA node 0
> > > ovs_numa|INFO|Discovered 1 NUMA nodes and 2 CPU cores
> > > reconnect|INFO|unix:/var/run/openvswitch/db.sock: connecting...
> > > reconnect|INFO|unix:/var/run/openvswitch/db.sock: connected
> > > netlink_socket|ERR|fcntl: Permission denied
> > > dpif_netlink|ERR|Generic Netlink family 'ovs_datapath' does not
> > > exist. The Open vSwitch kernel module is p robably not loaded.
> > > dpif|WARN|failed to enumerate system datapaths: Permission denied
> > > dpif|WARN|failed to create datapath ovs-system: Permission denied
> > >
> > > I did not test all Open vSwitch features so there still could be
> > > some OVS configuration that would get "Permission denied" errors.
> > >
> > > Since, Open vSwitch daemons on Ubuntu 15.10 by default run under
> > > "unconfined" SELinux domain, then there is no need to create a
> > > similar debian package for Ubuntu, because it works on default
> > > Ubuntu installation.
> > >
> > > Signed-Off-By: Ansis Atteka <aatteka at nicira.com <javascript:;>>
> >
> > It's certainly unfortunate that this is necessary, but I understand
> > the practical motivation behind it.
> >
> > One way to look at this could be that it's a fork from distro-provided
> > systemd policy.  I'd really like to see something that makes me feel
> > good that we're trying our hardest to minimize divergence as much as
> > possible.  For every policy addition, it would be nice to see
> > something like:
> >
> > 1) A link to a distro bug report (or reports) that show that this
> > policy addition is needed locally until the distro applies a policy
> > update.
> >
> > 2) If it's a policy included in newer versions of a distro, and this
> > is only needed on older versions of the distro where the changes
> > won't get applied, it'd be nice to have that documented somehow.
> >
> > Honestly, this stuff isn't easy to get right, and I'd really rather
> > leave it to the systemd policy experts as much as possible.  Seeing
> > that systemd policy maintainers have acked the changes in some way
> > would make me feel better.
>
> This is a never ending problem.  As we add features, all distros need
> to sync their selinux policies.  It makes more sense for each project
> to provide the policy instead.
>
> For example, this is for docker and look who is the maintainer :-)
> https://github.com/fedora-cloud/docker-selinux
>
>
>
Ok, thanks. I'm happy with this whenever you are.

-- 
Russell



More information about the dev mailing list