[ovs-dev] [PATCH 4/4] rhel: selinux-policy to invoke proper label macros

Aaron Conole aconole at redhat.com
Wed Apr 25 18:02:19 UTC 2018


Aaron Conole <aconole at redhat.com> writes:

> Ansis Atteka <ansisatteka at gmail.com> writes:
>
>> On 20 March 2018 at 14:05, Aaron Conole <aconole at redhat.com> wrote:
>>> The rpm doesn't invoke all of the required selinux helpers to enact labeling
>>> or relabeling on all versions of Fedora/RHEL.  According to:
>>>   https://fedoraproject.org/wiki/SELinux/IndependentPolicy
>>>
>>> This commit switches to use the selinux rpm macros which will ensure that
>>> all of the labels defined in the .fc.in file are applied properly.
>>
>> Ok, it seems you need to send similar patch for
>> rhel/openvswitch.spec.in. Not only for fedora.
>
> Cool, will do.
>
>> In the meantime I will later try to add fedorabuilder to the Vagrant
>> builder recipes and test what you have for Fedora.
>
> Ansis++!! Thanks!
>
>> Also, why was I able to reload openvswitch kernel module on CentOS
>> without the ovs-kmod-ctl being properly marked? Are there some rules
>> that we would need to remove now from openvswitch.te?
>
> I'm not sure.  I'm using Fedora and RHEL for my testing, and it seems
> the policies/labels are a bit different.  Maybe Lukas (cc'd) knows more?

I have an answer for this (the PoC thing works awesome for my testing,
btw - thanks again!).  Centos is based on RHEL 7.4, which also doesn't
exhibit this behavior.  I believe an upgraded selinux policy (or
possibly systemd) which uses additional contexts is causing this in rhel
7.5 and newer Fedora versions.  Once CentOS is running with the similar
bits to rhel-7.5, I think we will see this, so your point above is
correct - it needs to be there for the openvswitch.spec.in file as well.

Thanks, Ansis!  I'm re-spinning this series.

>>>
>>> Signed-off-by: Aaron Conole <aconole at redhat.com>
>>> ---
>>>  rhel/openvswitch-fedora.spec.in | 10 ++++++++--
>>>  1 file changed, 8 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in
>>> index 8fbc985ce..b606cb7e0 100644
>>> --- a/rhel/openvswitch-fedora.spec.in
>>> +++ b/rhel/openvswitch-fedora.spec.in
>>> @@ -340,6 +340,9 @@ rm -f $RPM_BUILD_ROOT%{_bindir}/ovs-parse-backtrace \
>>>  %clean
>>>  rm -rf $RPM_BUILD_ROOT
>>>
>>> +%pre selinux-policy
>>> +%selinux_relabel_pre -s targeted
>>> +
>>>  %preun
>>>  %if 0%{?systemd_preun:1}
>>>      %systemd_preun %{name}.service
>>> @@ -444,7 +447,7 @@ fi
>>>  %endif
>>>
>>>  %post selinux-policy
>>> -/usr/sbin/semodule -i %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || :
>>> +%selinux_modules_install -s targeted %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
>>>
>>>  %postun
>>>  %if 0%{?systemd_postun:1}
>>> @@ -476,9 +479,12 @@ fi
>>>
>>>  %postun selinux-policy
>>>  if [ $1 -eq 0 ] ; then
>>> -  /usr/sbin/semodule -r openvswitch-custom &> /dev/null || :
>>> +  %selinux_modules_uninstall -s targeted openvswitch-custom
>>>  fi
>>>
>>> +%posttrans selinux-policy
>>> +%selinux_relabel_post -s targeted
>>> +
>>>  %files selinux-policy
>>>  %defattr(-,root,root)
>>>  %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
>>> --
>>> 2.14.3
>>>


More information about the dev mailing list