| Message ID | 20170831232245.3644-1-aconole@redhat.com |
|---|---|
| Headers | show |
| Series | updated selinux policy for Open vSwitch | expand |
On 31 August 2017 at 16:22, Aaron Conole <aconole@redhat.com> wrote: > This series brings about a policy update to openvswitch allowing it to > run on a RHEL / Fedora system, even as a non-root user, with selinux set > to Enforcing. > > The first two patches make some changes to the way the selinux policy is > built to have a macro-like effect, allowing the dpdk policy to be enabled > or disabled based on the build. This is chosen instead of using an selinux > boolean, because it is more transparent to the end user. > > All of this work was tested by passing traffic, including via a dpdk bridge. > > I'm hoping that this can be backported to the 2.8 branch (since it would be > needed to make fedora 2.8 make sense), but if not, we can always do the manual > backport > I already pushed your patches to master branch. However, before back-porting them to 2.8 I think more testing is required. For example: 1. The documentation should reflect the renaming to openvswitch.te.in # git grep "openvswitch\.te" Documentation/howto/selinux.rst:``selinux/openvswitch.te`` file in the OVS source tree and try to add white 2. I think your patch breaks the rpm packages built with rpmbuild -bb --without check rhel/openvswitch.spec I know that there are users out there using this rhel/openvswitch.spec opposed to rhel/openvswitch-fedora.spec on RHEL and CentOS.
Ansis Atteka <ansisatteka@gmail.com> writes: > On 31 August 2017 at 16:22, Aaron Conole <aconole@redhat.com> wrote: >> This series brings about a policy update to openvswitch allowing it to >> run on a RHEL / Fedora system, even as a non-root user, with selinux set >> to Enforcing. >> >> The first two patches make some changes to the way the selinux policy is >> built to have a macro-like effect, allowing the dpdk policy to be enabled >> or disabled based on the build. This is chosen instead of using an selinux >> boolean, because it is more transparent to the end user. >> >> All of this work was tested by passing traffic, including via a dpdk bridge. >> >> I'm hoping that this can be backported to the 2.8 branch (since it would be >> needed to make fedora 2.8 make sense), but if not, we can always do the manual >> backport >> > I already pushed your patches to master branch. However, before > back-porting them to 2.8 I think more testing is required. For > example: Agreed. I addressed your concerns, and also found a really embarrassingly stupid mistake. I plan on continuing to test it anyway. I'll be making some beer this weekend so I should have some spare cycles to kick stuff off. Thanks for all your help, Ansis! -Aaron
On 1 September 2017 at 10:20, Aaron Conole <aconole@redhat.com> wrote: > Ansis Atteka <ansisatteka@gmail.com> writes: > >> On 31 August 2017 at 16:22, Aaron Conole <aconole@redhat.com> wrote: >>> This series brings about a policy update to openvswitch allowing it to >>> run on a RHEL / Fedora system, even as a non-root user, with selinux set >>> to Enforcing. >>> >>> The first two patches make some changes to the way the selinux policy is >>> built to have a macro-like effect, allowing the dpdk policy to be enabled >>> or disabled based on the build. This is chosen instead of using an selinux >>> boolean, because it is more transparent to the end user. >>> >>> All of this work was tested by passing traffic, including via a dpdk bridge. >>> >>> I'm hoping that this can be backported to the 2.8 branch (since it would be >>> needed to make fedora 2.8 make sense), but if not, we can always do the manual >>> backport >>> >> I already pushed your patches to master branch. However, before >> back-porting them to 2.8 I think more testing is required. For >> example: > > Agreed. I addressed your concerns, and also found a really > embarrassingly stupid mistake. > > I plan on continuing to test it anyway. I'll be making some beer this > weekend so I should have some spare cycles to kick stuff off. > > Thanks for all your help, Ansis! > Thanks for jumping in quickly and addressing all the remaining issues. Second series look good to me. I will back-port all 6 patches to branch-2.8 now. Thank you!
> On Sep 1, 2017, at 12:50 PM, Ansis Atteka <ansisatteka@gmail.com> wrote: > > Thanks for jumping in quickly and addressing all the remaining issues. > Second series look good to me. I will back-port all 6 patches to > branch-2.8 now. Thank you! I see that Ansis and Alin have pushed recent changes to branch-2.8. I'm getting ready to release 2.8.0. I assume we want those changes to be part of that? Anything else? Thanks, --Justin
> -----Original Message----- > From: Justin Pettit [mailto:jpettit@ovn.org] > Sent: Saturday, September 2, 2017 3:24 AM > To: Ansis Atteka <ansisatteka@gmail.com> > Cc: Aaron Conole <aconole@redhat.com>; <dev@openvswitch.org> > <dev@openvswitch.org>; Ansis Atteka <aatteka@ovn.org>; Jean Hsiao > <jhsiao@redhat.com>; Flavio Leitner <fbl@sysclose.org>; Alin Serdean > <aserdean@cloudbasesolutions.com> > Subject: Re: [PATCH v3 0/3] updated selinux policy for Open vSwitch > > > > On Sep 1, 2017, at 12:50 PM, Ansis Atteka <ansisatteka@gmail.com> wrote: > > > > Thanks for jumping in quickly and addressing all the remaining issues. > > Second series look good to me. I will back-port all 6 patches to > > branch-2.8 now. Thank you! > > I see that Ansis and Alin have pushed recent changes to branch-2.8. I'm > getting ready to release 2.8.0. I assume we want those changes to be part of > that? Anything else? > > Thanks, > > --Justin > [Alin Serdean] It would be nice, but not mandatory in my opinion. Most of the Windows users will search for a MSI rather than compiling from source. The following series would be nice to be added on 2.8, because that gets published via pypi (https://pypi.python.org/pypi/ovs), but unfortunately it lacks reviews https://patchwork.ozlabs.org/patch/805943/ https://patchwork.ozlabs.org/patch/805945/ Thanks, Alin.
> On Sep 1, 2017, at 6:30 PM, Alin Serdean <aserdean@cloudbasesolutions.com> wrote: > > [Alin Serdean] It would be nice, but not mandatory in my opinion. Most of the Windows users will search for a MSI rather than compiling from source. > The following series would be nice to be added on 2.8, because that gets published via pypi (https://pypi.python.org/pypi/ovs), but unfortunately it lacks reviews > https://patchwork.ozlabs.org/patch/805943/ > https://patchwork.ozlabs.org/patch/805945/ I'd like to get the release out, but do you think these are important enough to hold off the release or can they wait for 2.8.1? --Justin
> -----Original Message----- > From: Justin Pettit [mailto:jpettit@ovn.org] > Sent: Saturday, September 2, 2017 5:56 AM > To: Alin Serdean <aserdean@cloudbasesolutions.com> > Cc: Ansis Atteka <ansisatteka@gmail.com>; Aaron Conole > <aconole@redhat.com>; <dev@openvswitch.org> <dev@openvswitch.org>; > Ansis Atteka <aatteka@ovn.org>; Jean Hsiao <jhsiao@redhat.com>; Flavio > Leitner <fbl@sysclose.org> > Subject: Re: [PATCH v3 0/3] updated selinux policy for Open vSwitch > > > > On Sep 1, 2017, at 6:30 PM, Alin Serdean > <aserdean@cloudbasesolutions.com> wrote: > > > > [Alin Serdean] It would be nice, but not mandatory in my opinion. Most of > the Windows users will search for a MSI rather than compiling from source. > > The following series would be nice to be added on 2.8, because that > > gets published via pypi (https://pypi.python.org/pypi/ovs), but > > unfortunately it lacks reviews > > https://patchwork.ozlabs.org/patch/805943/ > > https://patchwork.ozlabs.org/patch/805945/ > > I'd like to get the release out, but do you think these are important enough > to hold off the release or can they wait for 2.8.1? > > --Justin > [Alin Serdean] It can wait for 2.8.1 in my opinion. A use case which is impacted by this, is neutron-ovs-agent (Openstack) using native implementation defined over TCP sockets. As a workaround, users can use the name pipe implementation instead of the TCP sockets. Thanks, Alin.