Re: [ovs-dev] [PATCH] selinux: Allow ovs-ctl force-reload-kmod.

Tue, 26 Jul 2016 13:01:05 -0700 

On Tue, Jul 26, 2016 at 12:41:01PM -0700, Joe Stringer wrote:
> On 25 July 2016 at 16:57, Flavio Leitner <f...@sysclose.org> wrote:
> > On Fri, Jul 22, 2016 at 02:10:51PM -0700, Joe Stringer wrote:
> >> When invoking ovs-ctl force-reload-kmod via '/etc/init.d/openvswitch
> >> force-reload-kmod', spurious errors would output related to 'hostname'
> >> and 'ip', and the system's selinux audit log would complain about some
> >> of the invocations such as those listed at the end of this commit message.
> >>
> >> This patch loosens restrictions for openvswitch_t (used for ovs-ctl, as
> >> well as all of the OVS daemons) to allow it to execute 'hostname' and
> >> 'ip' commands, and also to execute temporary files created as
> >> openvswitch_tmp_t. This allows force-reload-kmod to run correctly.
> >>
> >> Example audit logs:
> >> type=AVC msg=audit(1468515192.912:16720): avc:  denied  { getattr } for
> >> pid=11687 comm="ovs-ctl" path="/usr/bin/hostname" dev="dm-1"
> >> ino=33557805 scontext=system_u:system_r:openvswitch_t:s0
> >> tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
> >>
> >> type=AVC msg=audit(1468519445.766:16829): avc:  denied  { getattr } for
> >> pid=13920 comm="ovs-save" path="/usr/sbin/ip" dev="dm-1" ino=67572988
> >> scontext=unconfined_u:system_r:openvswitch_t:s0
> >> tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
> >>
> >> type=AVC msg=audit(1468519445.890:16833): avc:  denied  { execute } for
> >> pid=13849 comm="ovs-ctl" name="tmp.jdEGHntG3Z" dev="dm-1" ino=106876762
> >> scontext=unconfined_u:system_r:openvswitch_t:s0
> >> tcontext=unconfined_u:object_r:openvswitch_tmp_t:s0 tclass=file
> >>
> >> Signed-off-by: Joe Stringer <j...@ovn.org>
> >> ---
> >
> > LGTM.
> > Acked-by: Flavio Leitner <f...@sysclose.org>
> >
> >
> 
> Thanks for the review, applied to master.

I also opened bug to fix on Fedora:

Bug 1360465 - SELinux blocks OVS to run 'hostname' and 'ip'
https://bugzilla.redhat.com/show_bug.cgi?id=1360465

-- 
fbl

_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

Reply via email to