[ovs-dev] [PATCH] selinux: Allow creating tap devices.
Ansis Atteka
ansisatteka at gmail.com
Thu Jan 26 20:39:27 UTC 2017
On 26 January 2017 at 04:03, Daniele Di Proietto <diproiettod at vmware.com>
wrote:
>
>
>
>
>
> On 25/01/2017 00:01, "Ansis Atteka" <ansisatteka at gmail.com> wrote:
>
> >
> >
> >On Jan 25, 2017 4:22 AM, "Daniele Di Proietto" <diproiettod at vmware.com>
> wrote:
> >
> >Current SELinux policy in RHEL and Fedora doesn't allow the creation of
> >TAP devices.
> >
> >A tap device is used by dpif-netdev to create internal devices.
> >
> >Without this patch, adding any bridge backed by the userspace datapath
> >would fail.
> >
> >This doesn't mean that we can run Open vSwitch with DPDK under SELinux
> >yet, but at least we can use the userspace datapath.
> >
> >Signed-off-by: Daniele Di Proietto <diproiettod at vmware.com>
> >
> >
> >
> >
> >Acked-by: Ansis Atteka <aatteka at ovn.org>
> >
> >
> >I saw that other open source projects like OpenVPN use rw_file_perms
> shortcut macro. Not sure how relevant that is for OVS but that macro
> expands to a little more function calls than what you have below. Maybe we
> don't need it, if what you have
> > just worked.
>
> Thanks a lot for the review.
>
> I cooked this up using audit2allow and I tested it on fedora 25. I'm now
> able to create and delete userspace bridges, without any further complaints
> from selinux
>
> I'm definitely not an expert in SELinux, so I'm not sure if it's better to
> use the macro and ask for extra permission, or to hardcode the list.
>
> What do you think?
>
Yeah, LGTM.
Anyway, If you missed any of function calls define in macro you can always
add them later on.
=
> >
> >---
> > selinux/openvswitch-custom.te | 5 +++++
> > 1 file changed, 5 insertions(+)
> >
> >diff --git a/selinux/openvswitch-custom.te b/selinux/openvswitch-custom.
> te
> >index 47ddb562c..98de89c98 100644
> >--- a/selinux/openvswitch-custom.te
> >+++ b/selinux/openvswitch-custom.te
> >@@ -5,8 +5,11 @@ require {
> > type openvswitch_tmp_t;
> > type ifconfig_exec_t;
> > type hostname_exec_t;
> >+ type tun_tap_device_t;
> > class netlink_socket { setopt getopt create connect getattr
> write read };
> > class file { write getattr read open execute execute_no_trans };
> >+ class chr_file { ioctl open read write };
> >
> >
> >
> >
> >+ class tun_socket { create };
> > }
> >
> > #============= openvswitch_t ==============
> >@@ -14,3 +17,5 @@ allow openvswitch_t self:netlink_socket { setopt getopt
> create connect getattr w
> > allow openvswitch_t hostname_exec_t:file { read getattr open execute
> execute_no_trans };
> > allow openvswitch_t ifconfig_exec_t:file { read getattr open execute
> execute_no_trans };
> > allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans };
> >+allow openvswitch_t self:tun_socket { create };
> >+allow openvswitch_t tun_tap_device_t:chr_file { ioctl open read write };
> >--
> >2.11.0
> >
> >_______________________________________________
> >dev mailing list
> >dev at openvswitch.org
> >https://mail.openvswitch.org/mailman/listinfo/ovs-dev
> >
> >
> >
> >
> >
> >
>
More information about the dev
mailing list