[ovs-dev] [PATCH] rhel: provide our own SELinux custom policy package
Ansis Atteka
ansisatteka at gmail.com
Thu Jan 28 18:24:23 UTC 2016
On 27 January 2016 at 12:42, Flavio Leitner <fbl at sysclose.org> wrote:
> On Tue, 19 Jan 2016 22:50:26 -0800
> Ansis Atteka <aatteka at nicira.com> wrote:
>
> > CentOS, RHEL and Fedora distributions ship with their own Open vSwitch
> > SELinux policy that is too strict and prevents Open vSwitch to work
> > normally out of the box.
> >
> > As a solution, this patch introduces a new package which will "loosen"
> > up "openvswitch_t" SELinux domain so that Open vSwitch could operate
> > normally.
> >
> > Intended use-cases of this package are:
> > 1. to allow users to install newer Open vSwitch on already released
> > Fedora, RHEL and Centos distributions where the default Open vSwitch
> > SELinux policy that shipped with the corresponding Linux distribution
> > is not up to date and did not anticipate that a newer Open vSwitch
> > version might need to invoke new system calls or need to access
> > certain system resources that it did not before; And
> > 2. to provide alternative means through which Open vSwitch developers
> > can proactively fix SELinux related policy issues without waiting for
> > corresponding Linux distribution maintainers to update their central
> > Open vSwitch SELinux policy.
> >
> > This patch was tested on Fedora 23 and CentOS 7. I verified that now
> > on Fedora 23 Open vSwitch can create a NetLink socket; and that I did
> > not see following error messages:
> >
> > vlog|INFO|opened log file /var/log/openvswitch/ovs-vswitchd.log
> > ovs_numa|INFO|Discovered 2 CPU cores on NUMA node 0
> > ovs_numa|INFO|Discovered 1 NUMA nodes and 2 CPU cores
> > reconnect|INFO|unix:/var/run/openvswitch/db.sock: connecting...
> > reconnect|INFO|unix:/var/run/openvswitch/db.sock: connected
> > netlink_socket|ERR|fcntl: Permission denied
> > dpif_netlink|ERR|Generic Netlink family 'ovs_datapath' does not exist.
> > The Open vSwitch kernel module is p robably not
> > loaded. dpif|WARN|failed to enumerate system datapaths: Permission
> > denied dpif|WARN|failed to create datapath ovs-system: Permission
> > denied
> >
> > I did not test all Open vSwitch features so there still could be some
> > OVS configuration that would get "Permission denied" errors.
> >
> > Since, Open vSwitch daemons on Ubuntu 15.10 by default run under
> > "unconfined" SELinux domain, then there is no need to create a
> > similar debian package for Ubuntu.
>
> First of all, this is a valid SELinux workflow and I liked the idea.
>
> However, having another RPM package doesn't resolve the issue completely
> because the user needs to notice something is not working, then debug,
> then realize it's related to SELinux, then remember about another
> package, build and finally install it.
>
> I think we can shortcut all that by shipping OVS SELinux module by
> default.
>
I would be happy to do that and will send V3.
>
> We would still need a separate package (a subpackage in this case) where
> the main one requires the selinux module. The subpackage is required
> to get it built all times and to get dependencies right.
>
> i.e.:
> openvswitch-fedora.spec:
> Requires(pre): openvswitch-selinux >= %{version}-%{release}
>
> Doing so, it would allow Fedora/RHEL/CentOS to start shipping the same.
> Then when 2.5 for instance is out with its selinux module, those distros
> can simply ship the same bits when their RPM is updated. If an user
> wants to use upstream, no problem, the update would work as well.
>
> I can help you with that if you need a hand.
>
> Thanks,
> --
> fbl
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev
>
More information about the dev
mailing list