[ovs-dev] [PATCH 0/3] updated selinux policy for Open vSwitch

[Aaron Conole]

Flavio Leitner <fbl at sysclose.org> writes:

> On Wed, 16 Aug 2017 16:04:49 -0400
> Aaron Conole <aconole at redhat.com> wrote:
>
>> This series brings about a policy update to openvswitch allowing it to
>> run on a RHEL / Fedora system, even as a non-root user, with selinux set
>> to Enforcing.
>> 
>> The first two patches make some changes to the way the selinux policy is
>> built to have a macro-like effect, allowing the dpdk policy to be enabled
>> or disabled based on the build.  This is chosen instead of using an selinux
>> boolean, because it is more transparent to the end user.
>> 
>> All of this work was tested by passing traffic, including via a dpdk bridge.
>> 
>> Aaron Conole (3):
>>   rhel: make the selinux policy intermediate
>>   makefile: hook up dpdkstrip preprocessor
>>   selinux: update policy to reflect non-root and dpdk support
>> 
>>  Makefile.am                      |  4 ++++
>>  rhel/openvswitch-fedora.spec.in  |  1 +
>>  selinux/automake.mk              |  2 +-
>>  selinux/openvswitch-custom.te    | 16 -------------
>>  selinux/openvswitch-custom.te.in | 52 ++++++++++++++++++++++++++++++++++++++++
>>  5 files changed, 58 insertions(+), 17 deletions(-)
>>  delete mode 100644 selinux/openvswitch-custom.te
>>  create mode 100644 selinux/openvswitch-custom.te.in
>> 
>
> Looks good to me.
> Acked-by: Flavio Leitner <fbl at sysclose.org>

Looks like I missed some tun_socket permissions.  I'm going to update,
and when I do I'll keep your ack.  Once Jean's test suite is finished
I'll incorporate and push out a v2.