On Tue, Jul 26, 2016 at 01:31:00PM -0700, Joe Stringer wrote:
> On 26 July 2016 at 13:00, Flavio Leitner <f...@sysclose.org> wrote:
> > On Tue, Jul 26, 2016 at 12:41:01PM -0700, Joe Stringer wrote:
> >> On 25 July 2016 at 16:57, Flavio Leitner <f...@sysclose.org> wrote:
> >> > On Fri, Jul 22, 2016 at 02:10:51PM -0700, Joe Stringer wrote:
> >> >> When invoking ovs-ctl force-reload-kmod via '/etc/init.d/openvswitch
> >> >> force-reload-kmod', spurious errors would output related to 'hostname'
> >> >> and 'ip', and the system's selinux audit log would complain about some
> >> >> of the invocations such as those listed at the end of this commit
> >> >> message.
> >> >>
> >> >> This patch loosens restrictions for openvswitch_t (used for ovs-ctl, as
> >> >> well as all of the OVS daemons) to allow it to execute 'hostname' and
> >> >> 'ip' commands, and also to execute temporary files created as
> >> >> openvswitch_tmp_t. This allows force-reload-kmod to run correctly.
> >> >>
> >> >> Example audit logs:
> >> >> type=AVC msg=audit(1468515192.912:16720): avc: denied { getattr } for
> >> >> pid=11687 comm="ovs-ctl" path="/usr/bin/hostname" dev="dm-1"
> >> >> ino=33557805 scontext=system_u:system_r:openvswitch_t:s0
> >> >> tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
> >> >>
> >> >> type=AVC msg=audit(1468519445.766:16829): avc: denied { getattr } for
> >> >> pid=13920 comm="ovs-save" path="/usr/sbin/ip" dev="dm-1" ino=67572988
> >> >> scontext=unconfined_u:system_r:openvswitch_t:s0
> >> >> tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
> >> >>
> >> >> type=AVC msg=audit(1468519445.890:16833): avc: denied { execute } for
> >> >> pid=13849 comm="ovs-ctl" name="tmp.jdEGHntG3Z" dev="dm-1" ino=106876762
> >> >> scontext=unconfined_u:system_r:openvswitch_t:s0
> >> >> tcontext=unconfined_u:object_r:openvswitch_tmp_t:s0 tclass=file
> >> >>
> >> >> Signed-off-by: Joe Stringer <j...@ovn.org>
> >> >> ---
> >> >
> >> > LGTM.
> >> > Acked-by: Flavio Leitner <f...@sysclose.org>
> >>
> >> Thanks for the review, applied to master.
> >
> > I also opened bug to fix on Fedora:
> >
> > Bug 1360465 - SELinux blocks OVS to run 'hostname' and 'ip'
> > https://bugzilla.redhat.com/show_bug.cgi?id=1360465
> >
> Thanks. For what it's worth, when I tried, if I invoke
> "/usr/share/openvswitch/scripts/ovs-ctl force-reload-kmod" directly on
> centos7, OVS restarts unconfined. Usually in the openvswitch.spec path
> I will run it indirectly via /etc/init.d/openvswitch, but that isn't
> an option in the fedora packaging.
Right, because systemd doesn't support custom actions, so we have
a few fixed actions available to play with. The plan is to move to
1:1 mapping between services and OVS daemons and run external scripts
to manage those. See Aaron's patchset stepping in that direction.
The 'hostname' affects openvswitch-fedora.spec as well.
--
fbl
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
