[ovs-git] [openvswitch/ovs] 2fb4a8: selinux: Add missing permissions for ovs-kmod-ctl
GitHub
noreply at github.com
Fri Jan 18 22:04:02 UTC 2019
Branch: refs/heads/branch-2.10
Home: https://github.com/openvswitch/ovs
Commit: 2fb4a80877ae3605626cb23344e38caff6ea98d3
https://github.com/openvswitch/ovs/commit/2fb4a80877ae3605626cb23344e38caff6ea98d3
Author: Yi-Hung Wei <yihung.wei at gmail.com>
Date: 2019-01-18 (Fri, 18 Jan 2019)
Changed paths:
M selinux/openvswitch-custom.te.in
Log Message:
-----------
selinux: Add missing permissions for ovs-kmod-ctl
Starting from OVS 2.10, ovs-vswitchd may fail to run after system reboot
since it fails to load ovs kernel module. It is because the conntrack
zone limit feature introduced in OVS 2.10 now depends on
nf_conntrack_ipv4/6 kernel module, and the SELinux prevents it to load the
two kernel modules.
Example log of the AVC violations:
type=AVC msg=audit(1546903594.735:29): avc: denied { execute_no_trans }
for pid=820 comm="modprobe" path="/usr/bin/bash" dev="dm-0" ino=50337111
scontext=system_u:system_r:openvswitch_load_module_t:s0
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1546903594.791:30): avc: denied { module_request } for
pid=819 comm="modprobe" kmod="nf_conntrack-2"
scontext=system_u:system_r:openvswitch_load_module_t:s0
tcontext=system_u:system_r:kernel_t:s0 tclass=system
This patch adds the missing permissions for modprobe command in ovs-kmod-ctl
so that the aforementioned issue is resolved.
VMWare-BZ: #2257534
Acked-by: Aaron Conole <aconole at redhat.com>
Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
Signed-off-by: Ben Pfaff <blp at ovn.org>
**NOTE:** This service has been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/
Functionality will be removed from GitHub.com on January 31st, 2019.
More information about the git
mailing list