[ovs-git] [openvswitch/ovs] 151171: ovs-kmod-ctl: introduce a kernel module load scrip...

GitHub noreply at github.com
Mon Jun 18 02:35:57 UTC 2018


  Branch: refs/heads/master
  Home:   https://github.com/openvswitch/ovs
  Commit: 15117123c53ef35394667bf156842842949aaa47
      https://github.com/openvswitch/ovs/commit/15117123c53ef35394667bf156842842949aaa47
  Author: Aaron Conole <aconole at redhat.com>
  Date:   2018-06-17 (Sun, 17 Jun 2018)

  Changed paths:
    M debian/openvswitch-switch.install
    M debian/openvswitch-switch.manpages
    M rhel/openvswitch-fedora.spec.in
    M rhel/openvswitch.spec.in
    M utilities/.gitignore
    M utilities/automake.mk
    M utilities/ovs-ctl.in
    A utilities/ovs-kmod-ctl.8
    A utilities/ovs-kmod-ctl.in
    M utilities/ovs-lib.in

  Log Message:
  -----------
  ovs-kmod-ctl: introduce a kernel module load script

Currently, Open vSwitch on linux embeds the logic of loading and unloading
kernel modules into the ovs-ctl and ovs-lib script files.  This works, but
it means that there is no way to leverage extended filesystem attributes
to grant fine grain permissions relating to module loading.

The split out utility 'ovs-kmod-ctl' will be used in an upcoming commit
for RHEL-based distributions to have a separate transition domain that
will allow module loading to be given to a separate selinux domain from
the openvswitch_t domain.

Acked-by: Ansis Atteka <aatteka at ovn.org>
Acked-by: Timothy Redaelli <tredaelli at redhat.com>
Signed-off-by: Aaron Conole <aconole at redhat.com>


  Commit: 6cd775f423f7a0e841d420d709d5cb69afeb2753
      https://github.com/openvswitch/ovs/commit/6cd775f423f7a0e841d420d709d5cb69afeb2753
  Author: Aaron Conole <aconole at redhat.com>
  Date:   2018-06-17 (Sun, 17 Jun 2018)

  Changed paths:
    M selinux/openvswitch-custom.te.in

  Log Message:
  -----------
  selinux: create a transition type for module loading

Defines a type 'openvswitch_load_module_t' used exclusively for loading
modules.  This means that the 'openvswitch_t' domain won't require
access to the module loading facility - such access can only happen
after transitioning through the 'openvswitch_load_module_exec_t'
transition context.

A future commit will instruct the selinux policy on how to label the
appropriate script with extended attributes to make use of this new domain.

Acked-by: Ansis Atteka <aatteka at ovn.org>
Acked-by: Timothy Redaelli <tredaelli at redhat.com>
Signed-off-by: Aaron Conole <aconole at redhat.com>


  Commit: 135901ae4de2822a20b2450d6251f70287916bf2
      https://github.com/openvswitch/ovs/commit/135901ae4de2822a20b2450d6251f70287916bf2
  Author: Aaron Conole <aconole at redhat.com>
  Date:   2018-06-17 (Sun, 17 Jun 2018)

  Changed paths:
    M selinux/openvswitch-custom.te.in

  Log Message:
  -----------
  selinux: allow openvswitch_t net_broadcast and net_raw

The ovs-vswitchd daemon requires both CAP_NET_RAW and
CAP_NET_BROADCAST, but these are generally policy prevented by
selinux.  This allows these capabilities to be retained by the
openvswitch_t domain.

example:

  type=AVC msg=audit(1527876508.109:3043): avc:  denied  {
  net_broadcast } for pid=5368 comm="ovs-vswitchd" capability=11
  scontext=system_u:system_r:openvswitch_t:s0
  tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=0

  type=AVC msg=audit(1527876508.109:3043): avc:  denied  {
  net_raw } for pid=5368 comm="ovs-vswitchd" capability=11
  scontext=system_u:system_r:openvswitch_t:s0
  tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=0

Acked-by: Ansis Atteka <aatteka at ovn.org>
Signed-off-by: Aaron Conole <aconole at redhat.com>


  Commit: 341a373d0aae62d669d31ad57895a74bb4c3befc
      https://github.com/openvswitch/ovs/commit/341a373d0aae62d669d31ad57895a74bb4c3befc
  Author: Aaron Conole <aconole at redhat.com>
  Date:   2018-06-17 (Sun, 17 Jun 2018)

  Changed paths:
    M selinux/openvswitch-custom.te.in

  Log Message:
  -----------
  selinux: tag the custom policy version

Since the policy is an intermediate file, it can inherit the policy
module version from release version.

Also include an SPDX identifier.

Suggested-by: Ansis Atteka <aatteka at ovn.org>
Acked-by: Ansis Atteka <aatteka at ovn.org>
Signed-off-by: Aaron Conole <aconole at redhat.com>


  Commit: a0efb7c92d45d87de55a75a1fc12f202402925ac
      https://github.com/openvswitch/ovs/commit/a0efb7c92d45d87de55a75a1fc12f202402925ac
  Author: Aaron Conole <aconole at redhat.com>
  Date:   2018-06-17 (Sun, 17 Jun 2018)

  Changed paths:
    M selinux/.gitignore
    M selinux/automake.mk
    A selinux/openvswitch-custom.fc.in

  Log Message:
  -----------
  selinux: introduce domain transitioned kmod helper

This commit uses the previously defined selinux label to transition
from the openvswitch_t to openvswitch_load_module_t domain by
executing ovs-kmod-ctl that is labelled with
openvswitch_load_module_exec_t type.

Note that unless the selinux relabel operation is invoked, the script
will not be labelled.  This merely instructs the selinux tools that
ovs-kmod-ctl should have a label applied.

Acked-by: Ansis Atteka <aatteka at ovn.org>
Acked-by: Timothy Redaelli <tredaelli at redhat.com>
Signed-off-by: Aaron Conole <aconole at redhat.com>


  Commit: 21aade70f3e0af30696569a30fc6a16115219a08
      https://github.com/openvswitch/ovs/commit/21aade70f3e0af30696569a30fc6a16115219a08
  Author: Aaron Conole <aconole at redhat.com>
  Date:   2018-06-17 (Sun, 17 Jun 2018)

  Changed paths:
    M rhel/openvswitch-fedora.spec.in
    M rhel/openvswitch.spec.in

  Log Message:
  -----------
  rhel: selinux-policy to invoke proper label macros

The rpm doesn't invoke all of the required selinux helpers to enact labeling
or relabeling on all versions of Fedora/RHEL.  According to:
  https://fedoraproject.org/wiki/SELinux/IndependentPolicy

This commit switches to use the selinux rpm macros which will ensure that
all of the labels defined in the .fc.in file are applied properly.

Acked-by: Ansis Atteka <aatteka at ovn.org>
Acked-by: Timothy Redaelli <tredaelli at redhat.com>
Signed-off-by: Aaron Conole <aconole at redhat.com>


Compare: https://github.com/openvswitch/ovs/compare/5d2988f7108a...21aade70f3e0
      **NOTE:** This service been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/

      Functionality will be removed from GitHub.com on January 31st, 2019.


More information about the git mailing list