On Fri, Jul 22, 2016 at 02:10:51PM -0700, Joe Stringer wrote:
> When invoking ovs-ctl force-reload-kmod via '/etc/init.d/openvswitch
> force-reload-kmod', spurious errors would output related to 'hostname'
> and 'ip', and the system's selinux audit log would complain about some
> of the invocations such as those listed at the end of this commit message.
>
> This patch loosens restrictions for openvswitch_t (used for ovs-ctl, as
> well as all of the OVS daemons) to allow it to execute 'hostname' and
> 'ip' commands, and also to execute temporary files created as
> openvswitch_tmp_t. This allows force-reload-kmod to run correctly.
>
> Example audit logs:
> type=AVC msg=audit(1468515192.912:16720): avc: denied { getattr } for
> pid=11687 comm="ovs-ctl" path="/usr/bin/hostname" dev="dm-1"
> ino=33557805 scontext=system_u:system_r:openvswitch_t:s0
> tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
>
> type=AVC msg=audit(1468519445.766:16829): avc: denied { getattr } for
> pid=13920 comm="ovs-save" path="/usr/sbin/ip" dev="dm-1" ino=67572988
> scontext=unconfined_u:system_r:openvswitch_t:s0
> tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
>
> type=AVC msg=audit(1468519445.890:16833): avc: denied { execute } for
> pid=13849 comm="ovs-ctl" name="tmp.jdEGHntG3Z" dev="dm-1" ino=106876762
> scontext=unconfined_u:system_r:openvswitch_t:s0
> tcontext=unconfined_u:object_r:openvswitch_tmp_t:s0 tclass=file
>
> Signed-off-by: Joe Stringer <j...@ovn.org>
> ---
LGTM.
Acked-by: Flavio Leitner <f...@sysclose.org>
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
