[ovs-git] [openvswitch/ovs] ee29e9: selinux: add a new target to build the policy

GitHub noreply at github.com
Sat Feb 24 02:20:47 UTC 2018


  Branch: refs/heads/master
  Home:   https://github.com/openvswitch/ovs
  Commit: ee29e9feb235136f0055c124d87bd9a68bf8e71a
      https://github.com/openvswitch/ovs/commit/ee29e9feb235136f0055c124d87bd9a68bf8e71a
  Author: Aaron Conole <aconole at redhat.com>
  Date:   2018-02-23 (Fri, 23 Feb 2018)

  Changed paths:
    M rhel/openvswitch-fedora.spec.in
    M rhel/openvswitch.spec.in
    M selinux/automake.mk

  Log Message:
  -----------
  selinux: add a new target to build the policy

The selinux policy currently builds manually, as a process that either
the user or distribution maintainer undertakes.  That process consists
of:

  1. Convert the intermediary files into their file form through
     'make' statements at the top level.

  2. Change to the selinux directory and issue the selinux "make -f"
     directive.

This commit introduces a new target 'selinux-policy' which builds the
openvswitch-custom policy files.

Signed-off-by: Aaron Conole <aconole at redhat.com>
Acked-by: Ansis Atteka <aatteka at ovn.org>


  Commit: ee1c7296ece67b5b35e528620c645a9c3f2a5c16
      https://github.com/openvswitch/ovs/commit/ee1c7296ece67b5b35e528620c645a9c3f2a5c16
  Author: Aaron Conole <aconole at redhat.com>
  Date:   2018-02-23 (Fri, 23 Feb 2018)

  Changed paths:
    M selinux/openvswitch-custom.te.in

  Log Message:
  -----------
  selinux: allow dpdkvhostuserclient sockets with newer libvirt

Newer libvirt and openstack versions will now label the unix socket as
an `svirt_tmpfs_t` object.  This means that in order to support
deploying with the recommended configuration (using a
dpdkvhostuserclient socket), additional permissions need to be
installed as part of the selinux policy.

An example of some of the AVC violations:

    type=AVC msg=audit(1518752799.102:978): avc:  denied  { write }
    for  pid=14368 comm="ovs-vswitchd" name="vhost0" dev="dm-0" ino=94
    scontext=system_u:system_r:openvswitch_t:s0
    tcontext=system_u:object_r:svirt_tmp_t:s0 tclass=sock_file

    type=AVC msg=audit(1518816172.126:1318): avc:  denied  { connectto }
    for  pid=32717 comm="ovs-vswitchd" path="/tmp/vhost0"
    scontext=system_u:system_r:openvswitch_t:s0
    tcontext=system_u:system_r:svirt_t:s0:c106,c530
    tclass=unix_stream_socket

Signed-off-by: Aaron Conole <aconole at redhat.com>
Acked-by: Ansis Atteka <aatteka at ovn.org>


Compare: https://github.com/openvswitch/ovs/compare/eb84ccc3e861...ee1c7296ece6


More information about the git mailing list