On 20 January 2016 at 16:13, Ansis Atteka <ansisatt...@gmail.com> wrote:
> > > On 20 January 2016 at 15:36, Ben Pfaff <b...@ovn.org> wrote: > >> On Wed, Jan 20, 2016 at 03:34:49PM -0800, Ben Pfaff wrote: >> > On Wed, Jan 20, 2016 at 02:59:03PM -0800, Ansis Atteka wrote: >> > > CentOS, RHEL and Fedora distributions ship with their own Open vSwitch >> > > SELinux policy that is too strict and prevents Open vSwitch to work >> > > normally out of the box. >> > > >> > > As a solution, this patch introduces a new package which will "loosen" >> > > up "openvswitch_t" SELinux domain so that Open vSwitch could operate >> > > normally. >> > >> > I could not get this to apply. >> >> Oh, I guess that's because it's for branch-2.4. Just for branch-2.4? >> We aren't going to get it on master first and backport it? That's >> unusual... >> > > It was developed against branch-2.4, because > 1. OVS does not work on default Fedora23 installation (ie. SELinux denies > access to NetLink sockets). This means that backporting to older branches > needs to be done anyway. > 2. I chose version 2.4. (opposed to any other OVS version) because this > needs to be done in tandem with outstanding --user patches targeted for OVS > 2.5. I just wanted to test upgrade path from OVS 2.4 to OVS 2.5+(--user). > > > I created a new spec file because I imagined that this SELinux policy > package could be used on both Fedora and RHEL. > Also, here are two things I would like to point about the patch: 1. It loosens up the SELinux policy that comes with Linux distribution; opposed to unloading it and loading completely different SELinux policy. I don't see any reason why this can't be done, but I could not find a precedent. 2. If we want to have a single rpm package for Fedora, RHEL and CentOS, then SELinux openvswitch-custom.te file needs to be targeted for the lowest SELinux version. For example SElinux on Fedora has several extra classes that we can't use (obtained from "seinfo" utility): + binder + netlink_connector_socket + netlink_netfilter_socket + netlink_iscsi_socket + netlink_rdma_socket + netlink_generic_socket + netlink_scsitransport_socket + netlink_crypto_socket + netlink_fib_lookup_socket _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
