Ben Pfaff <b...@ovn.org> writes:
> On Thu, Aug 09, 2018 at 06:31:31PM -0400, Aaron Conole wrote:
>> Ben Pfaff <b...@ovn.org> writes:
>>
>> > On Thu, Aug 09, 2018 at 12:40:39PM -0700, Ansis Atteka wrote:
>> >> On Tue, 7 Aug 2018 at 09:43, Qiuyu Xiao <qiuyu.xiao....@gmail.com> wrote:
>> >> >
>> >> > Added rules and files to create debian and rpm ovs-ipsec packages.
>> >> >
>> >> > Signed-off-by: Qiuyu Xiao <qiuyu.xiao....@gmail.com>
>> >> > Signed-off-by: Ansis Atteka <aatt...@ovn.org>
>> >> > Co-authored-by: Ansis Atteka <aatt...@ovn.org>
>> >>
>> >> Did you test this patch on Fedora with SElinux enabled?
>> >> ovs-monitor-ipsec daemon fails to start. You need to create SElinux
>> >> policy too:
>> >
Looking at the documentation and playing around here are my thoughts:
1. We probably can squelch the .local and ldconfig AVCs that pop out.
These seem to be related more to the python environment of the ipsec
monitor.
dontaudit openvswitch_t gconf_home_t:dir { search };
dontaudit openvswitch_t ldconfig_exec_t:file { execute };
I don't think there's any harm in them, so the above would simply keep
the alert log quiet.
2. The actual ipsec side seems a bit more complicated.
Since the openvswitch-ipsec daemon writes configurations to /etc, it
would be best to build a transition domain that has the ability just to
modify those files and start the ipsec daemon. I'm not sure it makes
sense to allow openvswitch_t domain to write to all of /etc. We can
certainly grant that for now and make the transition domain something to
do in the future. I'll write that policy up and send it out (but it's a
bit bigger - even the non-domain transition one - just because of the
extra headache to allow /etc access).
On the other hand, it might be possible to use an existing ipsec service
and use the ipsec dbus interface. Can you take a look to see if we
could integrate that by default and fall back to the manual monitoring
mode. That would be my preferred solution (but I don't know if it has
all of the support needed). The selinux policy for that is much simpler
as well (just a few macros).
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
