Message ID | 20180320210518.9982-5-aconole@redhat.com |
---|---|
State | Changes Requested |
Headers | show |
Series | selinux: introduce a transition domain for loading kmods | expand |
On 20 March 2018 at 14:05, Aaron Conole <aconole@redhat.com> wrote: > The rpm doesn't invoke all of the required selinux helpers to enact labeling > or relabeling on all versions of Fedora/RHEL. According to: > https://fedoraproject.org/wiki/SELinux/IndependentPolicy > > This commit switches to use the selinux rpm macros which will ensure that > all of the labels defined in the .fc.in file are applied properly. Ok, it seems you need to send similar patch for rhel/openvswitch.spec.in. Not only for fedora. In the meantime I will later try to add fedorabuilder to the Vagrant builder recipes and test what you have for Fedora. Also, why was I able to reload openvswitch kernel module on CentOS without the ovs-kmod-ctl being properly marked? Are there some rules that we would need to remove now from openvswitch.te? > > Signed-off-by: Aaron Conole <aconole@redhat.com> > --- > rhel/openvswitch-fedora.spec.in | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > > diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in > index 8fbc985ce..b606cb7e0 100644 > --- a/rhel/openvswitch-fedora.spec.in > +++ b/rhel/openvswitch-fedora.spec.in > @@ -340,6 +340,9 @@ rm -f $RPM_BUILD_ROOT%{_bindir}/ovs-parse-backtrace \ > %clean > rm -rf $RPM_BUILD_ROOT > > +%pre selinux-policy > +%selinux_relabel_pre -s targeted > + > %preun > %if 0%{?systemd_preun:1} > %systemd_preun %{name}.service > @@ -444,7 +447,7 @@ fi > %endif > > %post selinux-policy > -/usr/sbin/semodule -i %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || : > +%selinux_modules_install -s targeted %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp > > %postun > %if 0%{?systemd_postun:1} > @@ -476,9 +479,12 @@ fi > > %postun selinux-policy > if [ $1 -eq 0 ] ; then > - /usr/sbin/semodule -r openvswitch-custom &> /dev/null || : > + %selinux_modules_uninstall -s targeted openvswitch-custom > fi > > +%posttrans selinux-policy > +%selinux_relabel_post -s targeted > + > %files selinux-policy > %defattr(-,root,root) > %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp > -- > 2.14.3 >
Ansis Atteka <ansisatteka@gmail.com> writes: > On 20 March 2018 at 14:05, Aaron Conole <aconole@redhat.com> wrote: >> The rpm doesn't invoke all of the required selinux helpers to enact labeling >> or relabeling on all versions of Fedora/RHEL. According to: >> https://fedoraproject.org/wiki/SELinux/IndependentPolicy >> >> This commit switches to use the selinux rpm macros which will ensure that >> all of the labels defined in the .fc.in file are applied properly. > > Ok, it seems you need to send similar patch for > rhel/openvswitch.spec.in. Not only for fedora. Cool, will do. > In the meantime I will later try to add fedorabuilder to the Vagrant > builder recipes and test what you have for Fedora. Ansis++!! Thanks! > Also, why was I able to reload openvswitch kernel module on CentOS > without the ovs-kmod-ctl being properly marked? Are there some rules > that we would need to remove now from openvswitch.te? I'm not sure. I'm using Fedora and RHEL for my testing, and it seems the policies/labels are a bit different. Maybe Lukas (cc'd) knows more? >> >> Signed-off-by: Aaron Conole <aconole@redhat.com> >> --- >> rhel/openvswitch-fedora.spec.in | 10 ++++++++-- >> 1 file changed, 8 insertions(+), 2 deletions(-) >> >> diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in >> index 8fbc985ce..b606cb7e0 100644 >> --- a/rhel/openvswitch-fedora.spec.in >> +++ b/rhel/openvswitch-fedora.spec.in >> @@ -340,6 +340,9 @@ rm -f $RPM_BUILD_ROOT%{_bindir}/ovs-parse-backtrace \ >> %clean >> rm -rf $RPM_BUILD_ROOT >> >> +%pre selinux-policy >> +%selinux_relabel_pre -s targeted >> + >> %preun >> %if 0%{?systemd_preun:1} >> %systemd_preun %{name}.service >> @@ -444,7 +447,7 @@ fi >> %endif >> >> %post selinux-policy >> -/usr/sbin/semodule -i %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || : >> +%selinux_modules_install -s targeted %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp >> >> %postun >> %if 0%{?systemd_postun:1} >> @@ -476,9 +479,12 @@ fi >> >> %postun selinux-policy >> if [ $1 -eq 0 ] ; then >> - /usr/sbin/semodule -r openvswitch-custom &> /dev/null || : >> + %selinux_modules_uninstall -s targeted openvswitch-custom >> fi >> >> +%posttrans selinux-policy >> +%selinux_relabel_post -s targeted >> + >> %files selinux-policy >> %defattr(-,root,root) >> %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp >> -- >> 2.14.3 >>
Aaron Conole <aconole@redhat.com> writes: > Ansis Atteka <ansisatteka@gmail.com> writes: > >> On 20 March 2018 at 14:05, Aaron Conole <aconole@redhat.com> wrote: >>> The rpm doesn't invoke all of the required selinux helpers to enact labeling >>> or relabeling on all versions of Fedora/RHEL. According to: >>> https://fedoraproject.org/wiki/SELinux/IndependentPolicy >>> >>> This commit switches to use the selinux rpm macros which will ensure that >>> all of the labels defined in the .fc.in file are applied properly. >> >> Ok, it seems you need to send similar patch for >> rhel/openvswitch.spec.in. Not only for fedora. > > Cool, will do. > >> In the meantime I will later try to add fedorabuilder to the Vagrant >> builder recipes and test what you have for Fedora. > > Ansis++!! Thanks! > >> Also, why was I able to reload openvswitch kernel module on CentOS >> without the ovs-kmod-ctl being properly marked? Are there some rules >> that we would need to remove now from openvswitch.te? > > I'm not sure. I'm using Fedora and RHEL for my testing, and it seems > the policies/labels are a bit different. Maybe Lukas (cc'd) knows more? I have an answer for this (the PoC thing works awesome for my testing, btw - thanks again!). Centos is based on RHEL 7.4, which also doesn't exhibit this behavior. I believe an upgraded selinux policy (or possibly systemd) which uses additional contexts is causing this in rhel 7.5 and newer Fedora versions. Once CentOS is running with the similar bits to rhel-7.5, I think we will see this, so your point above is correct - it needs to be there for the openvswitch.spec.in file as well. Thanks, Ansis! I'm re-spinning this series. >>> >>> Signed-off-by: Aaron Conole <aconole@redhat.com> >>> --- >>> rhel/openvswitch-fedora.spec.in | 10 ++++++++-- >>> 1 file changed, 8 insertions(+), 2 deletions(-) >>> >>> diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in >>> index 8fbc985ce..b606cb7e0 100644 >>> --- a/rhel/openvswitch-fedora.spec.in >>> +++ b/rhel/openvswitch-fedora.spec.in >>> @@ -340,6 +340,9 @@ rm -f $RPM_BUILD_ROOT%{_bindir}/ovs-parse-backtrace \ >>> %clean >>> rm -rf $RPM_BUILD_ROOT >>> >>> +%pre selinux-policy >>> +%selinux_relabel_pre -s targeted >>> + >>> %preun >>> %if 0%{?systemd_preun:1} >>> %systemd_preun %{name}.service >>> @@ -444,7 +447,7 @@ fi >>> %endif >>> >>> %post selinux-policy >>> -/usr/sbin/semodule -i %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || : >>> +%selinux_modules_install -s targeted %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp >>> >>> %postun >>> %if 0%{?systemd_postun:1} >>> @@ -476,9 +479,12 @@ fi >>> >>> %postun selinux-policy >>> if [ $1 -eq 0 ] ; then >>> - /usr/sbin/semodule -r openvswitch-custom &> /dev/null || : >>> + %selinux_modules_uninstall -s targeted openvswitch-custom >>> fi >>> >>> +%posttrans selinux-policy >>> +%selinux_relabel_post -s targeted >>> + >>> %files selinux-policy >>> %defattr(-,root,root) >>> %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp >>> -- >>> 2.14.3 >>>
diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in index 8fbc985ce..b606cb7e0 100644 --- a/rhel/openvswitch-fedora.spec.in +++ b/rhel/openvswitch-fedora.spec.in @@ -340,6 +340,9 @@ rm -f $RPM_BUILD_ROOT%{_bindir}/ovs-parse-backtrace \ %clean rm -rf $RPM_BUILD_ROOT +%pre selinux-policy +%selinux_relabel_pre -s targeted + %preun %if 0%{?systemd_preun:1} %systemd_preun %{name}.service @@ -444,7 +447,7 @@ fi %endif %post selinux-policy -/usr/sbin/semodule -i %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || : +%selinux_modules_install -s targeted %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp %postun %if 0%{?systemd_postun:1} @@ -476,9 +479,12 @@ fi %postun selinux-policy if [ $1 -eq 0 ] ; then - /usr/sbin/semodule -r openvswitch-custom &> /dev/null || : + %selinux_modules_uninstall -s targeted openvswitch-custom fi +%posttrans selinux-policy +%selinux_relabel_post -s targeted + %files selinux-policy %defattr(-,root,root) %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
The rpm doesn't invoke all of the required selinux helpers to enact labeling or relabeling on all versions of Fedora/RHEL. According to: https://fedoraproject.org/wiki/SELinux/IndependentPolicy This commit switches to use the selinux rpm macros which will ensure that all of the labels defined in the .fc.in file are applied properly. Signed-off-by: Aaron Conole <aconole@redhat.com> --- rhel/openvswitch-fedora.spec.in | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-)