On Tue, 19 Jan 2016 22:50:26 -0800
Ansis Atteka <aatt...@nicira.com> wrote:
> CentOS, RHEL and Fedora distributions ship with their own Open vSwitch
> SELinux policy that is too strict and prevents Open vSwitch to work
> normally out of the box.
>
> As a solution, this patch introduces a new package which will "loosen"
> up "openvswitch_t" SELinux domain so that Open vSwitch could operate
> normally.
>
> Intended use-cases of this package are:
> 1. to allow users to install newer Open vSwitch on already released
> Fedora, RHEL and Centos distributions where the default Open vSwitch
> SELinux policy that shipped with the corresponding Linux distribution
> is not up to date and did not anticipate that a newer Open vSwitch
> version might need to invoke new system calls or need to access
> certain system resources that it did not before; And
> 2. to provide alternative means through which Open vSwitch developers
> can proactively fix SELinux related policy issues without waiting for
> corresponding Linux distribution maintainers to update their central
> Open vSwitch SELinux policy.
>
> This patch was tested on Fedora 23 and CentOS 7. I verified that now
> on Fedora 23 Open vSwitch can create a NetLink socket; and that I did
> not see following error messages:
>
> vlog|INFO|opened log file /var/log/openvswitch/ovs-vswitchd.log
> ovs_numa|INFO|Discovered 2 CPU cores on NUMA node 0
> ovs_numa|INFO|Discovered 1 NUMA nodes and 2 CPU cores
> reconnect|INFO|unix:/var/run/openvswitch/db.sock: connecting...
> reconnect|INFO|unix:/var/run/openvswitch/db.sock: connected
> netlink_socket|ERR|fcntl: Permission denied
> dpif_netlink|ERR|Generic Netlink family 'ovs_datapath' does not exist.
> The Open vSwitch kernel module is p robably not
> loaded. dpif|WARN|failed to enumerate system datapaths: Permission
> denied dpif|WARN|failed to create datapath ovs-system: Permission
> denied
>
> I did not test all Open vSwitch features so there still could be some
> OVS configuration that would get "Permission denied" errors.
>
> Since, Open vSwitch daemons on Ubuntu 15.10 by default run under
> "unconfined" SELinux domain, then there is no need to create a
> similar debian package for Ubuntu.
First of all, this is a valid SELinux workflow and I liked the idea.
However, having another RPM package doesn't resolve the issue completely
because the user needs to notice something is not working, then debug,
then realize it's related to SELinux, then remember about another
package, build and finally install it.
I think we can shortcut all that by shipping OVS SELinux module by
default.
We would still need a separate package (a subpackage in this case) where
the main one requires the selinux module. The subpackage is required
to get it built all times and to get dependencies right.
i.e.:
openvswitch-fedora.spec:
Requires(pre): openvswitch-selinux >= %{version}-%{release}
Doing so, it would allow Fedora/RHEL/CentOS to start shipping the same.
Then when 2.5 for instance is out with its selinux module, those distros
can simply ship the same bits when their RPM is updated. If an user
wants to use upstream, no problem, the update would work as well.
I can help you with that if you need a hand.
Thanks,
--
fbl
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
