This series brings about a policy update to openvswitch allowing it to run on a RHEL / Fedora system, even as a non-root user, with selinux set to Enforcing.
The first two patches make some changes to the way the selinux policy is built to have a macro-like effect, allowing the dpdk policy to be enabled or disabled based on the build. This is chosen instead of using an selinux boolean, because it is more transparent to the end user. All of this work was tested by passing traffic, including via a dpdk bridge. I'm hoping that this can be backported to the 2.8 branch (since it would be needed to make fedora 2.8 make sense), but if not, we can always do the manual backport Original Series: https://mail.openvswitch.org/pipermail/ovs-dev/2017-August/337513.html v2->v3: * move tun_tap_device_t permissions to be more general purpose v1->v2: * updated after PVP testing. There are still permissions needed to be added to libvirt / qemu, but that is outside the scope of Open vSwitch project. * Folded in Flavio Leitner's ACK Aaron Conole (3): rhel: make the selinux policy intermediate makefile: hook up dpdkstrip preprocessor selinux: update policy to reflect non-root and dpdk support Makefile.am | 4 +++ rhel/openvswitch-fedora.spec.in | 1 + selinux/automake.mk | 2 +- selinux/openvswitch-custom.te | 16 ------------ selinux/openvswitch-custom.te.in | 54 ++++++++++++++++++++++++++++++++++++++++ 5 files changed, 60 insertions(+), 17 deletions(-) delete mode 100644 selinux/openvswitch-custom.te create mode 100644 selinux/openvswitch-custom.te.in -- 2.9.4 _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
