On Wednesday, January 27, 2016, Flavio Leitner <f...@sysclose.org> wrote:
> On Thu, 21 Jan 2016 17:09:42 -0500 > Russell Bryant <russ...@ovn.org <javascript:;>> wrote: > > > On 01/20/2016 05:59 PM, Ansis Atteka wrote: > > > CentOS, RHEL and Fedora distributions ship with their own Open > > > vSwitch SELinux policy that is too strict and prevents Open vSwitch > > > to work normally out of the box. > > > > > > As a solution, this patch introduces a new package which will > > > "loosen" up "openvswitch_t" SELinux domain so that Open vSwitch > > > could operate normally. > > > > > > Intended use-cases of this package are: > > > 1. to allow users to install newer Open vSwitch on already released > > > Fedora, RHEL and CentOS distributions where the default Open > > > vSwitch SELinux policy that shipped with the corresponding Linux > > > distribution is not up to date and did not anticipate that a newer > > > Open vSwitch version might need to invoke new system calls or need > > > to access certain system resources that it did not before; And > > > 2. to provide alternative means through which Open vSwitch > > > developers can proactively fix SELinux related policy issues > > > without waiting for corresponding Linux distribution maintainers to > > > update their central Open vSwitch SELinux policy. > > > > > > This patch was tested on Fedora 23 and CentOS 7. I verified that now > > > on Fedora 23 Open vSwitch can create a NetLink socket; and that I > > > did not see following error messages: > > > > > > vlog|INFO|opened log file /var/log/openvswitch/ovs-vswitchd.log > > > ovs_numa|INFO|Discovered 2 CPU cores on NUMA node 0 > > > ovs_numa|INFO|Discovered 1 NUMA nodes and 2 CPU cores > > > reconnect|INFO|unix:/var/run/openvswitch/db.sock: connecting... > > > reconnect|INFO|unix:/var/run/openvswitch/db.sock: connected > > > netlink_socket|ERR|fcntl: Permission denied > > > dpif_netlink|ERR|Generic Netlink family 'ovs_datapath' does not > > > exist. The Open vSwitch kernel module is p robably not loaded. > > > dpif|WARN|failed to enumerate system datapaths: Permission denied > > > dpif|WARN|failed to create datapath ovs-system: Permission denied > > > > > > I did not test all Open vSwitch features so there still could be > > > some OVS configuration that would get "Permission denied" errors. > > > > > > Since, Open vSwitch daemons on Ubuntu 15.10 by default run under > > > "unconfined" SELinux domain, then there is no need to create a > > > similar debian package for Ubuntu, because it works on default > > > Ubuntu installation. > > > > > > Signed-Off-By: Ansis Atteka <aatt...@nicira.com <javascript:;>> > > > > It's certainly unfortunate that this is necessary, but I understand > > the practical motivation behind it. > > > > One way to look at this could be that it's a fork from distro-provided > > systemd policy. I'd really like to see something that makes me feel > > good that we're trying our hardest to minimize divergence as much as > > possible. For every policy addition, it would be nice to see > > something like: > > > > 1) A link to a distro bug report (or reports) that show that this > > policy addition is needed locally until the distro applies a policy > > update. > > > > 2) If it's a policy included in newer versions of a distro, and this > > is only needed on older versions of the distro where the changes > > won't get applied, it'd be nice to have that documented somehow. > > > > Honestly, this stuff isn't easy to get right, and I'd really rather > > leave it to the systemd policy experts as much as possible. Seeing > > that systemd policy maintainers have acked the changes in some way > > would make me feel better. > > This is a never ending problem. As we add features, all distros need > to sync their selinux policies. It makes more sense for each project > to provide the policy instead. > > For example, this is for docker and look who is the maintainer :-) > https://github.com/fedora-cloud/docker-selinux > > > Ok, thanks. I'm happy with this whenever you are. -- Russell _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
