On 26 January 2017 at 04:03, Daniele Di Proietto <[email protected]> wrote:
> > > > > > On 25/01/2017 00:01, "Ansis Atteka" <[email protected]> wrote: > > > > > > >On Jan 25, 2017 4:22 AM, "Daniele Di Proietto" <[email protected]> > wrote: > > > >Current SELinux policy in RHEL and Fedora doesn't allow the creation of > >TAP devices. > > > >A tap device is used by dpif-netdev to create internal devices. > > > >Without this patch, adding any bridge backed by the userspace datapath > >would fail. > > > >This doesn't mean that we can run Open vSwitch with DPDK under SELinux > >yet, but at least we can use the userspace datapath. > > > >Signed-off-by: Daniele Di Proietto <[email protected]> > > > > > > > > > >Acked-by: Ansis Atteka <[email protected]> > > > > > >I saw that other open source projects like OpenVPN use rw_file_perms > shortcut macro. Not sure how relevant that is for OVS but that macro > expands to a little more function calls than what you have below. Maybe we > don't need it, if what you have > > just worked. > > Thanks a lot for the review. > > I cooked this up using audit2allow and I tested it on fedora 25. I'm now > able to create and delete userspace bridges, without any further complaints > from selinux > > I'm definitely not an expert in SELinux, so I'm not sure if it's better to > use the macro and ask for extra permission, or to hardcode the list. > > What do you think? > Yeah, LGTM. Anyway, If you missed any of function calls define in macro you can always add them later on. = > > > >--- > > selinux/openvswitch-custom.te | 5 +++++ > > 1 file changed, 5 insertions(+) > > > >diff --git a/selinux/openvswitch-custom.te b/selinux/openvswitch-custom. > te > >index 47ddb562c..98de89c98 100644 > >--- a/selinux/openvswitch-custom.te > >+++ b/selinux/openvswitch-custom.te > >@@ -5,8 +5,11 @@ require { > > type openvswitch_tmp_t; > > type ifconfig_exec_t; > > type hostname_exec_t; > >+ type tun_tap_device_t; > > class netlink_socket { setopt getopt create connect getattr > write read }; > > class file { write getattr read open execute execute_no_trans }; > >+ class chr_file { ioctl open read write }; > > > > > > > > > >+ class tun_socket { create }; > > } > > > > #============= openvswitch_t ============== > >@@ -14,3 +17,5 @@ allow openvswitch_t self:netlink_socket { setopt getopt > create connect getattr w > > allow openvswitch_t hostname_exec_t:file { read getattr open execute > execute_no_trans }; > > allow openvswitch_t ifconfig_exec_t:file { read getattr open execute > execute_no_trans }; > > allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans }; > >+allow openvswitch_t self:tun_socket { create }; > >+allow openvswitch_t tun_tap_device_t:chr_file { ioctl open read write }; > >-- > >2.11.0 > > > >_______________________________________________ > >dev mailing list > >[email protected] > >https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > > > > > > > > > > > > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
