On Thu, 21 Jan 2016 17:09:42 -0500 Russell Bryant <russ...@ovn.org> wrote:
> On 01/20/2016 05:59 PM, Ansis Atteka wrote: > > CentOS, RHEL and Fedora distributions ship with their own Open > > vSwitch SELinux policy that is too strict and prevents Open vSwitch > > to work normally out of the box. > > > > As a solution, this patch introduces a new package which will > > "loosen" up "openvswitch_t" SELinux domain so that Open vSwitch > > could operate normally. > > > > Intended use-cases of this package are: > > 1. to allow users to install newer Open vSwitch on already released > > Fedora, RHEL and CentOS distributions where the default Open > > vSwitch SELinux policy that shipped with the corresponding Linux > > distribution is not up to date and did not anticipate that a newer > > Open vSwitch version might need to invoke new system calls or need > > to access certain system resources that it did not before; And > > 2. to provide alternative means through which Open vSwitch > > developers can proactively fix SELinux related policy issues > > without waiting for corresponding Linux distribution maintainers to > > update their central Open vSwitch SELinux policy. > > > > This patch was tested on Fedora 23 and CentOS 7. I verified that now > > on Fedora 23 Open vSwitch can create a NetLink socket; and that I > > did not see following error messages: > > > > vlog|INFO|opened log file /var/log/openvswitch/ovs-vswitchd.log > > ovs_numa|INFO|Discovered 2 CPU cores on NUMA node 0 > > ovs_numa|INFO|Discovered 1 NUMA nodes and 2 CPU cores > > reconnect|INFO|unix:/var/run/openvswitch/db.sock: connecting... > > reconnect|INFO|unix:/var/run/openvswitch/db.sock: connected > > netlink_socket|ERR|fcntl: Permission denied > > dpif_netlink|ERR|Generic Netlink family 'ovs_datapath' does not > > exist. The Open vSwitch kernel module is p robably not loaded. > > dpif|WARN|failed to enumerate system datapaths: Permission denied > > dpif|WARN|failed to create datapath ovs-system: Permission denied > > > > I did not test all Open vSwitch features so there still could be > > some OVS configuration that would get "Permission denied" errors. > > > > Since, Open vSwitch daemons on Ubuntu 15.10 by default run under > > "unconfined" SELinux domain, then there is no need to create a > > similar debian package for Ubuntu, because it works on default > > Ubuntu installation. > > > > Signed-Off-By: Ansis Atteka <aatt...@nicira.com> > > It's certainly unfortunate that this is necessary, but I understand > the practical motivation behind it. > > One way to look at this could be that it's a fork from distro-provided > systemd policy. I'd really like to see something that makes me feel > good that we're trying our hardest to minimize divergence as much as > possible. For every policy addition, it would be nice to see > something like: > > 1) A link to a distro bug report (or reports) that show that this > policy addition is needed locally until the distro applies a policy > update. > > 2) If it's a policy included in newer versions of a distro, and this > is only needed on older versions of the distro where the changes > won't get applied, it'd be nice to have that documented somehow. > > Honestly, this stuff isn't easy to get right, and I'd really rather > leave it to the systemd policy experts as much as possible. Seeing > that systemd policy maintainers have acked the changes in some way > would make me feel better. This is a never ending problem. As we add features, all distros need to sync their selinux policies. It makes more sense for each project to provide the policy instead. For example, this is for docker and look who is the maintainer :-) https://github.com/fedora-cloud/docker-selinux -- fbl _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
