Hi Aaron, Thanks for the feedback!
On Fri, Aug 10, 2018 at 12:03 PM, Aaron Conole <[email protected]> wrote: > > Ben Pfaff <[email protected]> writes: > > > On Thu, Aug 09, 2018 at 06:31:31PM -0400, Aaron Conole wrote: > >> Ben Pfaff <[email protected]> writes: > >> > >> > On Thu, Aug 09, 2018 at 12:40:39PM -0700, Ansis Atteka wrote: > >> >> On Tue, 7 Aug 2018 at 09:43, Qiuyu Xiao <[email protected]> > >> >> wrote: > >> >> > > >> >> > Added rules and files to create debian and rpm ovs-ipsec packages. > >> >> > > >> >> > Signed-off-by: Qiuyu Xiao <[email protected]> > >> >> > Signed-off-by: Ansis Atteka <[email protected]> > >> >> > Co-authored-by: Ansis Atteka <[email protected]> > >> >> > >> >> Did you test this patch on Fedora with SElinux enabled? > >> >> ovs-monitor-ipsec daemon fails to start. You need to create SElinux > >> >> policy too: > >> > > > Looking at the documentation and playing around here are my thoughts: > > 1. We probably can squelch the .local and ldconfig AVCs that pop out. > These seem to be related more to the python environment of the ipsec > monitor. > > dontaudit openvswitch_t gconf_home_t:dir { search }; > dontaudit openvswitch_t ldconfig_exec_t:file { execute }; > > I don't think there's any harm in them, so the above would simply keep > the alert log quiet. > > 2. The actual ipsec side seems a bit more complicated. > > Since the openvswitch-ipsec daemon writes configurations to /etc, it > would be best to build a transition domain that has the ability just to > modify those files and start the ipsec daemon. I'm not sure it makes > sense to allow openvswitch_t domain to write to all of /etc. We can > certainly grant that for now and make the transition domain something to > do in the future. I'll write that policy up and send it out (but it's a > bit bigger - even the non-domain transition one - just because of the > extra headache to allow /etc access). The openvswitch-ipsec directly changes `/etc/ipsec.conf` and `/etc/ipsec.secrects`, and uses `certutil` command to access NSS db files in `/etc/ipsec.d/` directory. Can we only grant SELinux permissions to those files? > > On the other hand, it might be possible to use an existing ipsec service > and use the ipsec dbus interface. Can you take a look to see if we > could integrate that by default and fall back to the manual monitoring > mode. That would be my preferred solution (but I don't know if it has > all of the support needed). The selinux policy for that is much simpler > as well (just a few macros). LibreSwan wiki says that the dbus API is still under development. Currently, openvswitch-ipsec daemon use `ipsec` command to communicate with LibreSwan IPsec service. -Qiuyu _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
