From: Dave Tucker <[email protected]>
Submitted-at: https://github.com/ovn-org/ovn/pull/38
Signed-off-by: Dave Tucker <[email protected]>
Signed-off-by: Numan Siddique <[email protected]>
---
.travis/linux-build.sh | 2 -
Makefile.am | 1 -
selinux/.gitignore | 5 --
selinux/automake.mk | 21 -----
selinux/openvswitch-custom.fc.in | 1 -
selinux/openvswitch-custom.te.in | 147 -------------------------------
6 files changed, 177 deletions(-)
delete mode 100644 selinux/.gitignore
delete mode 100644 selinux/automake.mk
delete mode 100644 selinux/openvswitch-custom.fc.in
delete mode 100644 selinux/openvswitch-custom.te.in
diff --git a/.travis/linux-build.sh b/.travis/linux-build.sh
index 134b4cbca..a8a561dc4 100755
--- a/.travis/linux-build.sh
+++ b/.travis/linux-build.sh
@@ -49,8 +49,6 @@ if [ "$TESTSUITE" ]; then
fi
else
configure_ovn $OPTS
- make selinux-policy
-
make -j4 || { cat config.log; exit 1; }
fi
diff --git a/Makefile.am b/Makefile.am
index 57cd41a62..430fd9fd8 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -497,7 +497,6 @@ include debian/automake.mk
include lib/ovsdb_automake.mk
include rhel/automake.mk
include tutorial/automake.mk
-include selinux/automake.mk
include controller/automake.mk
include controller-vtep/automake.mk
include northd/automake.mk
diff --git a/selinux/.gitignore b/selinux/.gitignore
deleted file mode 100644
index 64e834cd1..000000000
--- a/selinux/.gitignore
+++ /dev/null
@@ -1,5 +0,0 @@
-openvswitch-custom.te
-openvswitch-custom.fc
-openvswitch-custom.pp
-openvswitch-custom.if
-tmp/
diff --git a/selinux/automake.mk b/selinux/automake.mk
deleted file mode 100644
index c7dfe6ed5..000000000
--- a/selinux/automake.mk
+++ /dev/null
@@ -1,21 +0,0 @@
-# Copyright (C) 2016 Nicira, Inc.
-#
-# Copying and distribution of this file, with or without modification,
-# are permitted in any medium without royalty provided the copyright
-# notice and this notice are preserved. This file is offered as-is,
-# without warranty of any kind.
-
-EXTRA_DIST += \
- selinux/openvswitch-custom.fc.in \
- selinux/openvswitch-custom.te.in
-
-PHONY: selinux-policy
-
-selinux-policy: selinux/openvswitch-custom.te selinux/openvswitch-custom.fc
- $(MAKE) -C selinux/ -f /usr/share/selinux/devel/Makefile
-
-CLEANFILES += \
- selinux/openvswitch-custom.te \
- selinux/openvswitch-custom.pp \
- selinux/openvswitch-custom.fc \
- selinux/openvswitch-custom.if
diff --git a/selinux/openvswitch-custom.fc.in b/selinux/openvswitch-custom.fc.in
deleted file mode 100644
index c2756d04b..000000000
--- a/selinux/openvswitch-custom.fc.in
+++ /dev/null
@@ -1 +0,0 @@
-@pkgdatadir@/scripts/ovs-kmod-ctl --
gen_context(system_u:object_r:openvswitch_load_module_exec_t,s0)
diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in
deleted file mode 100644
index 2adaf231f..000000000
--- a/selinux/openvswitch-custom.te.in
+++ /dev/null
@@ -1,147 +0,0 @@
-# SPDX-License-Identifier: Apache-2.0
-
-module openvswitch-custom @VERSION@;
-
-require {
- role system_r;
- role object_r;
-
- type openvswitch_t;
- type openvswitch_rw_t;
- type openvswitch_tmp_t;
- type openvswitch_var_run_t;
-
- type bin_t;
- type ifconfig_exec_t;
- type init_t;
- type init_var_run_t;
- type insmod_exec_t;
- type kernel_t;
- type hostname_exec_t;
- type modules_conf_t;
- type modules_object_t;
- type passwd_file_t;
- type plymouth_exec_t;
- type proc_t;
- type shell_exec_t;
- type sssd_t;
- type sssd_public_t;
- type sssd_var_lib_t;
- type sysfs_t;
- type systemd_unit_file_t;
- type tun_tap_device_t;
-
-@begin_dpdk@
- type hugetlbfs_t;
- type svirt_t;
- type svirt_image_t;
- type svirt_tmpfs_t;
- type vfio_device_t;
- type zero_device_t;
-@end_dpdk@
-
- class capability { dac_override audit_write net_broadcast net_raw };
- class chr_file { write getattr read open ioctl map };
- class dir { write remove_name add_name lock read getattr search open };
- class fd { use };
- class file { map write getattr read open execute execute_no_trans
create unlink map entrypoint lock ioctl };
- class fifo_file { getattr read write append ioctl lock open };
- class filesystem getattr;
- class lnk_file { read open };
- class netlink_audit_socket { create nlmsg_relay audit_write read write
};
- class netlink_netfilter_socket { create nlmsg_relay audit_write read
write };
-@begin_dpdk@
- class netlink_rdma_socket { setopt bind create };
-@end_dpdk@
- class netlink_socket { setopt getopt create connect getattr write read
};
- class sock_file { write };
- class system { module_load module_request };
- class process { sigchld signull transition noatsecure siginh rlimitinh
};
- class unix_stream_socket { write getattr read connectto connect setopt
getopt sendto accept bind recvfrom acceptfrom ioctl };
-
-@begin_dpdk@
- class sock_file { read append getattr open };
- class tun_socket { relabelfrom relabelto create };
-@end_dpdk@
-}
-
-#============= Set up the transition domain =============
-type openvswitch_load_module_exec_t;
-type openvswitch_load_module_t;
-
-domain_type(openvswitch_load_module_exec_t);
-domain_type(openvswitch_load_module_t);
-role object_r types openvswitch_load_module_exec_t;
-role system_r types openvswitch_load_module_t;
-domain_entry_file(openvswitch_load_module_t, openvswitch_load_module_exec_t);
-domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t,
openvswitch_load_module_t);
-
-#============= openvswitch_t ==============
-allow openvswitch_t self:capability { dac_override audit_write net_broadcast
net_raw };
-allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write
read write };
-allow openvswitch_t self:netlink_netfilter_socket { create nlmsg_relay
audit_write read write };
-@begin_dpdk@
-allow openvswitch_t self:netlink_rdma_socket { setopt bind create };
-@end_dpdk@
-allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr
write read };
-
-allow openvswitch_t hostname_exec_t:file { read getattr open execute
execute_no_trans };
-allow openvswitch_t ifconfig_exec_t:file { read getattr open execute
execute_no_trans };
-
-allow openvswitch_t openvswitch_rw_t:dir { write remove_name add_name lock
read getattr open search };
-allow openvswitch_t openvswitch_rw_t:file { write getattr read open execute
execute_no_trans create unlink };
-allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans };
-allow openvswitch_t openvswitch_tmp_t:unix_stream_socket { write getattr read
connectto connect setopt getopt sendto accept bind recvfrom acceptfrom };
-allow openvswitch_t openvswitch_var_run_t:dir { getattr read open search write
remove_name add_name lock };
-allow openvswitch_t openvswitch_var_run_t:file { map open read write getattr
create unlink };
-allow openvswitch_t tun_tap_device_t:chr_file { read write getattr open ioctl
};
-
-@begin_dpdk@
-allow openvswitch_t hugetlbfs_t:dir { write remove_name add_name lock read };
-allow openvswitch_t hugetlbfs_t:file { create unlink map };
-allow openvswitch_t kernel_t:unix_stream_socket { write getattr read connectto
connect setopt getopt sendto accept bind recvfrom acceptfrom };
-allow openvswitch_t self:tun_socket { relabelfrom relabelto create };
-allow openvswitch_t svirt_image_t:file { getattr read write };
-allow openvswitch_t svirt_tmpfs_t:file { read write };
-allow openvswitch_t svirt_tmpfs_t:sock_file { read write append getattr open };
-allow openvswitch_t svirt_t:unix_stream_socket { connectto read write getattr
sendto recvfrom setopt };
-allow openvswitch_t vfio_device_t:chr_file { read write open ioctl getattr };
-allow openvswitch_t zero_device_t:chr_file { read open getattr map };
-@end_dpdk@
-
-#============= Transition allows =============
-type_transition openvswitch_t openvswitch_load_module_exec_t:process
openvswitch_load_module_t;
-allow openvswitch_t openvswitch_load_module_exec_t:file { execute read open
getattr };
-allow openvswitch_t openvswitch_load_module_t:process transition;
-
-allow openvswitch_load_module_t bin_t:file { execute execute_no_trans map };
-allow openvswitch_load_module_t init_t:unix_stream_socket { getattr ioctl read
write };
-allow openvswitch_load_module_t init_var_run_t:dir { getattr read open search
};
-allow openvswitch_load_module_t insmod_exec_t:file { execute execute_no_trans
getattr map open read };
-allow openvswitch_load_module_t kernel_t:system module_request;
-allow openvswitch_load_module_t modules_conf_t:dir { getattr open read search
};
-allow openvswitch_load_module_t modules_conf_t:file { getattr open read };
-allow openvswitch_load_module_t modules_object_t:file { map getattr open read
};
-allow openvswitch_load_module_t modules_object_t:dir { getattr open read
search };
-allow openvswitch_load_module_t openvswitch_load_module_exec_t:file {
entrypoint };
-allow openvswitch_load_module_t passwd_file_t:file { getattr open read };
-allow openvswitch_load_module_t plymouth_exec_t:file { getattr read open
execute execute_no_trans map };
-allow openvswitch_load_module_t proc_t:file { getattr open read };
-allow openvswitch_load_module_t self:system module_load;
-allow openvswitch_load_module_t self:process { siginh noatsecure rlimitinh
siginh };
-allow openvswitch_load_module_t shell_exec_t:file { map execute
execute_no_trans read open getattr };
-allow openvswitch_load_module_t sssd_public_t:dir { getattr open read search };
-allow openvswitch_load_module_t sssd_public_t:file { getattr map open read };
-allow openvswitch_load_module_t sssd_t:unix_stream_socket connectto;
-allow openvswitch_load_module_t sssd_var_lib_t:dir { getattr open read search
};
-allow openvswitch_load_module_t sssd_var_lib_t:sock_file write;
-allow openvswitch_load_module_t sysfs_t:dir { getattr open read search };
-allow openvswitch_load_module_t sysfs_t:file { open read };
-allow openvswitch_load_module_t sysfs_t:lnk_file { read open };
-allow openvswitch_load_module_t systemd_unit_file_t:dir getattr;
-
-# no need to grant search permissions for this - and no need to emit
-# an error, either.
-dontaudit openvswitch_load_module_t openvswitch_var_run_t:dir { search };
-
-kernel_load_module(openvswitch_load_module_t);
--
2.26.2
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
