Ansis Atteka <[email protected]> writes: > On 20 March 2018 at 14:05, Aaron Conole <[email protected]> wrote: >> This commit uses the previously defined selinux label to transition >> from the openvswitch_t to openvswitch_load_module_t domain, by way of >> a specially labelled ovs-kmod-ctl helper. > > s/by way of a specially labelled ovs-kmod-ctl helper/ by executing > ovs-kmod-ctl that is labelled with openvswitch_load_module_exec_t > type.
I like that this also eliminates a silly spelling mistake. I'll use it. Thanks! >> >> Signed-off-by: Aaron Conole <[email protected]> >> --- >> selinux/.gitignore | 4 ++++ >> selinux/automake.mk | 3 ++- >> selinux/openvswitch-custom.fc.in | 1 + >> 3 files changed, 7 insertions(+), 1 deletion(-) >> create mode 100644 selinux/openvswitch-custom.fc.in >> >> diff --git a/selinux/.gitignore b/selinux/.gitignore >> index 83a0afb51..64e834cd1 100644 >> --- a/selinux/.gitignore >> +++ b/selinux/.gitignore >> @@ -1 +1,5 @@ >> openvswitch-custom.te >> +openvswitch-custom.fc >> +openvswitch-custom.pp >> +openvswitch-custom.if >> +tmp/ >> diff --git a/selinux/automake.mk b/selinux/automake.mk >> index b37e8f337..c7dfe6ed5 100644 >> --- a/selinux/automake.mk >> +++ b/selinux/automake.mk >> @@ -6,11 +6,12 @@ >> # without warranty of any kind. >> >> EXTRA_DIST += \ >> + selinux/openvswitch-custom.fc.in \ >> selinux/openvswitch-custom.te.in >> >> PHONY: selinux-policy >> >> -selinux-policy: selinux/openvswitch-custom.te >> +selinux-policy: selinux/openvswitch-custom.te selinux/openvswitch-custom.fc >> $(MAKE) -C selinux/ -f /usr/share/selinux/devel/Makefile >> >> CLEANFILES += \ >> diff --git a/selinux/openvswitch-custom.fc.in >> b/selinux/openvswitch-custom.fc.in >> new file mode 100644 >> index 000000000..c2756d04b >> --- /dev/null >> +++ b/selinux/openvswitch-custom.fc.in >> @@ -0,0 +1 @@ >> +@pkgdatadir@/scripts/ovs-kmod-ctl -- >> gen_context(system_u:object_r:openvswitch_load_module_exec_t,s0) > > It seems that above line did now work for me on Centos 7 (at least > automatically). If you use vagrant then you can repro by: Right, I'm not surprised. I discovered that there needs to still be a relabel operation. > # cd poc/builders > # vagrant up centosbuilder > # vagrant ssh centosbuilder > # cd /var/www/html/RPMS/x86_64 > # install ovs rpm > # cd /var/www/html/RPMS/noarch > # install selinux rpm > # ls -Z /usr/share/openvswitch/scripts/ovs-kmod-ctl But I wonder if it's still not functional after 4/4 - I'll look into it. > to see it for yourself. >> -- >> 2.14.3 >> _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
