[ovs-dev] [PATCH 0/3] updated selinux policy for Open vSwitch
Aaron Conole
aconole at redhat.com
Tue Aug 22 18:36:22 UTC 2017
Flavio Leitner <fbl at sysclose.org> writes:
> On Wed, 16 Aug 2017 16:04:49 -0400
> Aaron Conole <aconole at redhat.com> wrote:
>
>> This series brings about a policy update to openvswitch allowing it to
>> run on a RHEL / Fedora system, even as a non-root user, with selinux set
>> to Enforcing.
>>
>> The first two patches make some changes to the way the selinux policy is
>> built to have a macro-like effect, allowing the dpdk policy to be enabled
>> or disabled based on the build. This is chosen instead of using an selinux
>> boolean, because it is more transparent to the end user.
>>
>> All of this work was tested by passing traffic, including via a dpdk bridge.
>>
>> Aaron Conole (3):
>> rhel: make the selinux policy intermediate
>> makefile: hook up dpdkstrip preprocessor
>> selinux: update policy to reflect non-root and dpdk support
>>
>> Makefile.am | 4 ++++
>> rhel/openvswitch-fedora.spec.in | 1 +
>> selinux/automake.mk | 2 +-
>> selinux/openvswitch-custom.te | 16 -------------
>> selinux/openvswitch-custom.te.in | 52 ++++++++++++++++++++++++++++++++++++++++
>> 5 files changed, 58 insertions(+), 17 deletions(-)
>> delete mode 100644 selinux/openvswitch-custom.te
>> create mode 100644 selinux/openvswitch-custom.te.in
>>
>
> Looks good to me.
> Acked-by: Flavio Leitner <fbl at sysclose.org>
Looks like I missed some tun_socket permissions. I'm going to update,
and when I do I'll keep your ack. Once Jean's test suite is finished
I'll incorporate and push out a v2.
More information about the dev
mailing list