On 20 March 2018 at 14:05, Aaron Conole <[email protected]> wrote: > This commit uses the previously defined selinux label to transition > from the openvswitch_t to openvswitch_load_module_t domain, by way of > a specially labelled ovs-kmod-ctl helper.
s/by way of a specially labelled ovs-kmod-ctl helper/ by executing ovs-kmod-ctl that is labelled with openvswitch_load_module_exec_t type. > > Signed-off-by: Aaron Conole <[email protected]> > --- > selinux/.gitignore | 4 ++++ > selinux/automake.mk | 3 ++- > selinux/openvswitch-custom.fc.in | 1 + > 3 files changed, 7 insertions(+), 1 deletion(-) > create mode 100644 selinux/openvswitch-custom.fc.in > > diff --git a/selinux/.gitignore b/selinux/.gitignore > index 83a0afb51..64e834cd1 100644 > --- a/selinux/.gitignore > +++ b/selinux/.gitignore > @@ -1 +1,5 @@ > openvswitch-custom.te > +openvswitch-custom.fc > +openvswitch-custom.pp > +openvswitch-custom.if > +tmp/ > diff --git a/selinux/automake.mk b/selinux/automake.mk > index b37e8f337..c7dfe6ed5 100644 > --- a/selinux/automake.mk > +++ b/selinux/automake.mk > @@ -6,11 +6,12 @@ > # without warranty of any kind. > > EXTRA_DIST += \ > + selinux/openvswitch-custom.fc.in \ > selinux/openvswitch-custom.te.in > > PHONY: selinux-policy > > -selinux-policy: selinux/openvswitch-custom.te > +selinux-policy: selinux/openvswitch-custom.te selinux/openvswitch-custom.fc > $(MAKE) -C selinux/ -f /usr/share/selinux/devel/Makefile > > CLEANFILES += \ > diff --git a/selinux/openvswitch-custom.fc.in > b/selinux/openvswitch-custom.fc.in > new file mode 100644 > index 000000000..c2756d04b > --- /dev/null > +++ b/selinux/openvswitch-custom.fc.in > @@ -0,0 +1 @@ > +@pkgdatadir@/scripts/ovs-kmod-ctl -- > gen_context(system_u:object_r:openvswitch_load_module_exec_t,s0) It seems that above line did now work for me on Centos 7 (at least automatically). If you use vagrant then you can repro by: # cd poc/builders # vagrant up centosbuilder # vagrant ssh centosbuilder # cd /var/www/html/RPMS/x86_64 # install ovs rpm # cd /var/www/html/RPMS/noarch # install selinux rpm # ls -Z /usr/share/openvswitch/scripts/ovs-kmod-ctl to see it for yourself. > -- > 2.14.3 > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
