Daniele Di Proietto <diproiet...@vmware.com> writes: > On 25/01/2017 00:01, "Ansis Atteka" <ansisatt...@gmail.com> wrote: > >>On Jan 25, 2017 4:22 AM, "Daniele Di Proietto" <diproiet...@vmware.com> wrote: >> >>Current SELinux policy in RHEL and Fedora doesn't allow the creation of >>TAP devices. >> >>A tap device is used by dpif-netdev to create internal devices. >> >>Without this patch, adding any bridge backed by the userspace datapath >>would fail. >> >>This doesn't mean that we can run Open vSwitch with DPDK under SELinux >>yet, but at least we can use the userspace datapath. >> >>Signed-off-by: Daniele Di Proietto <diproiet...@vmware.com>
I just noticed this, sorry for jumping in late. >>Acked-by: Ansis Atteka <aatt...@ovn.org> >> >> >>I saw that other open source projects like OpenVPN use rw_file_perms >> shortcut macro. Not sure how relevant that is for OVS but that macro >> expands to a little more function calls than what you have >> below. Maybe we don't need it, if what you have >> just worked. > > Thanks a lot for the review. > > I cooked this up using audit2allow and I tested it on fedora 25. I'm > now able to create and delete userspace bridges, without any further > complaints from selinux I have the following openvswitch-custom.te that did work to run ovs+dpdk under selinux and pass traffic: -------------------- 8< -------------------- require { type openvswitch_t; type openvswitch_tmp_t; type openvswitch_var_run_t; type ifconfig_exec_t; type hostname_exec_t; type vfio_device_t; type kernel_t; type tun_tap_device_t; type hugetlbfs_t; type init_t; class netlink_socket { setopt getopt create connect getattr write read }; class file { write getattr read open execute execute_no_trans create unlink }; class chr_file { write getattr read open ioctl }; class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom }; class dir { write remove_name add_name lock read }; } #============= openvswitch_t ============== allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read }; allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans }; allow openvswitch_t ifconfig_exec_t:file { read getattr open execute execute_no_trans }; allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans }; allow openvswitch_t openvswitch_tmp_t:unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom }; allow openvswitch_t vfio_device_t:chr_file { read write open ioctl getattr }; allow openvswitch_t tun_tap_device_t:chr_file { read write getattr open ioctl }; allow openvswitch_t hugetlbfs_t:dir { write remove_name add_name lock read }; allow openvswitch_t hugetlbfs_t:file { create unlink }; allow openvswitch_t kernel_t:unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom }; allow openvswitch_t init_t:file { read open }; -------------------- >8 -------------------- You'll note that this change gives the openvswitch complete access to hugetlbfs label, which might be the biggest scary part. > I'm definitely not an expert in SELinux, so I'm not sure if it's > better to use the macro and ask for extra permission, or to hardcode > the list. > > What do you think? For macro usage? I haven't messed with them at all. I'll note that https://github.com/redhat-openstack/openstack-selinux/pull/5/commits/67606ffa6ea85db73e1955868f53848e05096bf0 has what appear to be these macros in a .te file, but I'm going to echo what is previously written: I'm not an selinux expert. -Aaron _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev