[ovs-dev] [PATCH v3 0/3] updated selinux policy for Open vSwitch

Aaron Conole aconole at redhat.com
Fri Sep 1 17:20:03 UTC 2017


Ansis Atteka <ansisatteka at gmail.com> writes:

> On 31 August 2017 at 16:22, Aaron Conole <aconole at redhat.com> wrote:
>> This series brings about a policy update to openvswitch allowing it to
>> run on a RHEL / Fedora system, even as a non-root user, with selinux set
>> to Enforcing.
>>
>> The first two patches make some changes to the way the selinux policy is
>> built to have a macro-like effect, allowing the dpdk policy to be enabled
>> or disabled based on the build.  This is chosen instead of using an selinux
>> boolean, because it is more transparent to the end user.
>>
>> All of this work was tested by passing traffic, including via a dpdk bridge.
>>
>> I'm hoping that this can be backported to the 2.8 branch (since it would be
>> needed to make fedora 2.8 make sense), but if not, we can always do the manual
>> backport
>>
> I already pushed your patches to master branch. However, before
> back-porting them to 2.8 I think more testing is required. For
> example:

Agreed.  I addressed your concerns, and also found a really
embarrassingly stupid mistake.

I plan on continuing to test it anyway.  I'll be making some beer this
weekend so I should have some spare cycles to kick stuff off.

Thanks for all your help, Ansis!

-Aaron


More information about the dev mailing list