On 25/01/2017 00:01, "Ansis Atteka" <ansisatt...@gmail.com> wrote:
>
>
>On Jan 25, 2017 4:22 AM, "Daniele Di Proietto" <diproiet...@vmware.com> wrote:
>
>Current SELinux policy in RHEL and Fedora doesn't allow the creation of
>TAP devices.
>
>A tap device is used by dpif-netdev to create internal devices.
>
>Without this patch, adding any bridge backed by the userspace datapath
>would fail.
>
>This doesn't mean that we can run Open vSwitch with DPDK under SELinux
>yet, but at least we can use the userspace datapath.
>
>Signed-off-by: Daniele Di Proietto <diproiet...@vmware.com>
>
>
>
>
>Acked-by: Ansis Atteka <aatt...@ovn.org>
>
>
>I saw that other open source projects like OpenVPN use rw_file_perms shortcut
>macro. Not sure how relevant that is for OVS but that macro expands to a
>little more function calls than what you have below. Maybe we don't need it,
>if what you have
> just worked.
Thanks a lot for the review.
I cooked this up using audit2allow and I tested it on fedora 25. I'm now able
to create and delete userspace bridges, without any further complaints from
selinux
I'm definitely not an expert in SELinux, so I'm not sure if it's better to use
the macro and ask for extra permission, or to hardcode the list.
What do you think?
>
>---
> selinux/openvswitch-custom.te | 5 +++++
> 1 file changed, 5 insertions(+)
>
>diff --git a/selinux/openvswitch-custom.te b/selinux/openvswitch-custom.te
>index 47ddb562c..98de89c98 100644
>--- a/selinux/openvswitch-custom.te
>+++ b/selinux/openvswitch-custom.te
>@@ -5,8 +5,11 @@ require {
> type openvswitch_tmp_t;
> type ifconfig_exec_t;
> type hostname_exec_t;
>+ type tun_tap_device_t;
> class netlink_socket { setopt getopt create connect getattr write
> read };
> class file { write getattr read open execute execute_no_trans };
>+ class chr_file { ioctl open read write };
>
>
>
>
>+ class tun_socket { create };
> }
>
> #============= openvswitch_t ==============
>@@ -14,3 +17,5 @@ allow openvswitch_t self:netlink_socket { setopt getopt
>create connect getattr w
> allow openvswitch_t hostname_exec_t:file { read getattr open execute
> execute_no_trans };
> allow openvswitch_t ifconfig_exec_t:file { read getattr open execute
> execute_no_trans };
> allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans };
>+allow openvswitch_t self:tun_socket { create };
>+allow openvswitch_t tun_tap_device_t:chr_file { ioctl open read write };
>--
>2.11.0
>
>_______________________________________________
>dev mailing list
>d...@openvswitch.org
>https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
>
>
>
>
>
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
