From patchwork Thu Aug 31 23:22:42 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Aaron Conole <aconole@redhat.com>
X-Patchwork-Id: 808460
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=openvswitch.org
	(client-ip=140.211.169.12; helo=mail.linuxfoundation.org;
	envelope-from=ovs-dev-bounces@openvswitch.org;
	receiver=<UNKNOWN>)
Received: from mail.linuxfoundation.org (mail.linuxfoundation.org
	[140.211.169.12])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3xjz1k3qGSz9s8J
	for <incoming@patchwork.ozlabs.org>;
	Fri,  1 Sep 2017 09:22:50 +1000 (AEST)
Received: from mail.linux-foundation.org (localhost [127.0.0.1])
	by mail.linuxfoundation.org (Postfix) with ESMTP id 1A612E3F;
	Thu, 31 Aug 2017 23:22:48 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@mail.linuxfoundation.org
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 20C6AE39
	for <dev@openvswitch.org>; Thu, 31 Aug 2017 23:22:47 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 9C675196
	for <dev@openvswitch.org>; Thu, 31 Aug 2017 23:22:46 +0000 (UTC)
Received: from smtp.corp.redhat.com
	(int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 05BA681E15;
	Thu, 31 Aug 2017 23:22:46 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 05BA681E15
Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com;
	dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com;
	spf=fail smtp.mailfrom=aconole@redhat.com
Received: from dhcp-25-97.bos.redhat.com (ovpn-121-92.rdu2.redhat.com
	[10.10.121.92])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 77F0B60F82;
	Thu, 31 Aug 2017 23:22:45 +0000 (UTC)
From: Aaron Conole <aconole@redhat.com>
To: dev@openvswitch.org
Date: Thu, 31 Aug 2017 19:22:42 -0400
Message-Id: <20170831232245.3644-1-aconole@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
	(mx1.redhat.com [10.5.110.25]);
	Thu, 31 Aug 2017 23:22:46 +0000 (UTC)
X-Spam-Status: No, score=-5.0 required=5.0 tests=RCVD_IN_DNSWL_HI,
	RP_MATCHES_RCVD autolearn=disabled version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Cc: Flavio Leitner <fbl@sysclose.org>, Ansis Atteka <aatteka@ovn.org>
Subject: [ovs-dev] [PATCH v3 0/3] updated selinux policy for Open vSwitch
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
MIME-Version: 1.0
Sender: ovs-dev-bounces@openvswitch.org
Errors-To: ovs-dev-bounces@openvswitch.org

This series brings about a policy update to openvswitch allowing it to
run on a RHEL / Fedora system, even as a non-root user, with selinux set
to Enforcing.

The first two patches make some changes to the way the selinux policy is
built to have a macro-like effect, allowing the dpdk policy to be enabled
or disabled based on the build.  This is chosen instead of using an selinux
boolean, because it is more transparent to the end user.

All of this work was tested by passing traffic, including via a dpdk bridge.

I'm hoping that this can be backported to the 2.8 branch (since it would be
needed to make fedora 2.8 make sense), but if not, we can always do the manual
backport

Original Series:
https://mail.openvswitch.org/pipermail/ovs-dev/2017-August/337513.html

v2->v3:
* move tun_tap_device_t permissions to be more general purpose

v1->v2:
* updated after PVP testing.  There are still permissions needed to be added
  to libvirt / qemu, but that is outside the scope of Open vSwitch project.
* Folded in Flavio Leitner's ACK

Aaron Conole (3):
  rhel: make the selinux policy intermediate
  makefile: hook up dpdkstrip preprocessor
  selinux: update policy to reflect non-root and dpdk support

 Makefile.am                      |  4 +++
 rhel/openvswitch-fedora.spec.in  |  1 +
 selinux/automake.mk              |  2 +-
 selinux/openvswitch-custom.te    | 16 ------------
 selinux/openvswitch-custom.te.in | 54 ++++++++++++++++++++++++++++++++++++++++
 5 files changed, 60 insertions(+), 17 deletions(-)
 delete mode 100644 selinux/openvswitch-custom.te
 create mode 100644 selinux/openvswitch-custom.te.in