From patchwork Thu Aug 31 23:22:43 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Aaron Conole X-Patchwork-Id: 808461 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3xjz2M303Bz9s7p for ; Fri, 1 Sep 2017 09:23:23 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 06B3DEA2; Thu, 31 Aug 2017 23:22:49 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id C92CBE39 for ; Thu, 31 Aug 2017 23:22:47 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 5142B196 for ; Thu, 31 Aug 2017 23:22:47 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id A3AC86147A; Thu, 31 Aug 2017 23:22:46 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com A3AC86147A Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=aconole@redhat.com Received: from dhcp-25-97.bos.redhat.com (ovpn-121-92.rdu2.redhat.com [10.10.121.92]) by smtp.corp.redhat.com (Postfix) with ESMTP id 26BF860F8B; Thu, 31 Aug 2017 23:22:46 +0000 (UTC) From: Aaron Conole To: dev@openvswitch.org Date: Thu, 31 Aug 2017 19:22:43 -0400 Message-Id: <20170831232245.3644-2-aconole@redhat.com> In-Reply-To: <20170831232245.3644-1-aconole@redhat.com> References: <20170831232245.3644-1-aconole@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Thu, 31 Aug 2017 23:22:46 +0000 (UTC) X-Spam-Status: No, score=-5.0 required=5.0 tests=RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD autolearn=disabled version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Flavio Leitner , Ansis Atteka Subject: [ovs-dev] [PATCH v3 1/3] rhel: make the selinux policy intermediate X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org This will be used by an upcoming commit to have @begin_ and @end_ dpdk blocks to keep dpdk specific policy decisions only active when dpdk is used. Acked-by: Flavio Leitner Signed-off-by: Aaron Conole Tested-by: Jean Hsiao Acked-by: Ansis Atteka --- rhel/openvswitch-fedora.spec.in | 1 + selinux/automake.mk | 2 +- selinux/{openvswitch-custom.te => openvswitch-custom.te.in} | 0 3 files changed, 2 insertions(+), 1 deletion(-) rename selinux/{openvswitch-custom.te => openvswitch-custom.te.in} (100%) diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in index 59e8ff8..dd79fa9 100644 --- a/rhel/openvswitch-fedora.spec.in +++ b/rhel/openvswitch-fedora.spec.in @@ -239,6 +239,7 @@ Docker network plugins for OVN. > rhel/usr_lib_systemd_system_ovs-vswitchd.service make %{?_smp_mflags} +make selinux/openvswitch-custom.te cd selinux make -f %{_datadir}/selinux/devel/Makefile diff --git a/selinux/automake.mk b/selinux/automake.mk index 1088f36..e8871aa 100644 --- a/selinux/automake.mk +++ b/selinux/automake.mk @@ -6,4 +6,4 @@ # without warranty of any kind. EXTRA_DIST += \ - selinux/openvswitch-custom.te + selinux/openvswitch-custom.te.in diff --git a/selinux/openvswitch-custom.te b/selinux/openvswitch-custom.te.in similarity index 100% rename from selinux/openvswitch-custom.te rename to selinux/openvswitch-custom.te.in From patchwork Thu Aug 31 23:22:44 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Aaron Conole X-Patchwork-Id: 808462 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3xjz334Nfnz9s7p for ; Fri, 1 Sep 2017 09:23:59 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id F1426EA4; Thu, 31 Aug 2017 23:22:49 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 0B044E3D for ; Thu, 31 Aug 2017 23:22:48 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id C1C7279 for ; Thu, 31 Aug 2017 23:22:47 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 4C3A8C057FA6; Thu, 31 Aug 2017 23:22:47 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 4C3A8C057FA6 Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=aconole@redhat.com Received: from dhcp-25-97.bos.redhat.com (ovpn-121-92.rdu2.redhat.com [10.10.121.92]) by smtp.corp.redhat.com (Postfix) with ESMTP id C5B3560F82; Thu, 31 Aug 2017 23:22:46 +0000 (UTC) From: Aaron Conole To: dev@openvswitch.org Date: Thu, 31 Aug 2017 19:22:44 -0400 Message-Id: <20170831232245.3644-3-aconole@redhat.com> In-Reply-To: <20170831232245.3644-1-aconole@redhat.com> References: <20170831232245.3644-1-aconole@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Thu, 31 Aug 2017 23:22:47 +0000 (UTC) X-Spam-Status: No, score=-4.5 required=5.0 tests=RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD,URI_NOVOWEL autolearn=disabled version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Flavio Leitner , Ansis Atteka Subject: [ovs-dev] [PATCH v3 2/3] makefile: hook up dpdkstrip preprocessor X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org When building the openvswitch-custom.te file, it is important to have the ability to filter out dpdk blocks depending on whether the system has been configured with dpdk or not. This allows using all the standard .in file blocks, as well as the dpdkstrip blocks, when constructing the selinux policy file. Additionally, this means any .in files which might want to change based on configuration to exclude blocks based on dpdk can do so. Acked-by: Flavio Leitner Signed-off-by: Aaron Conole Tested-by: Jean Hsiao Acked-by: Ansis Atteka --- Makefile.am | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Makefile.am b/Makefile.am index 035afe6..31d6331 100644 --- a/Makefile.am +++ b/Makefile.am @@ -35,6 +35,9 @@ AM_CFLAGS += $(OVS_CFLAGS) if DPDK_NETDEV AM_CFLAGS += -D_FILE_OFFSET_BITS=64 +DPDKSTRIP_FLAGS = --dpdk +else +DPDKSTRIP_FLAGS = --nodpdk endif if NDEBUG @@ -141,6 +144,7 @@ ro_shell = printf '\043 Generated automatically -- do not modify! -*- buffer- SUFFIXES += .in .in: $(AM_V_GEN)$(PERL) $(srcdir)/build-aux/soexpand.pl -I$(srcdir) < $< | \ + $(PERL) $(srcdir)/build-aux/dpdkstrip.pl $(DPDKSTRIP_FLAGS) | \ sed \ -e 's,[@]PKIDIR[@],$(PKIDIR),g' \ -e 's,[@]LOGDIR[@],$(LOGDIR),g' \ From patchwork Thu Aug 31 23:22:45 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Aaron Conole X-Patchwork-Id: 808463 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3xjz3q0JTCz9s7p for ; Fri, 1 Sep 2017 09:24:39 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id DC925EAD; Thu, 31 Aug 2017 23:22:50 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id BB0B1EA2 for ; Thu, 31 Aug 2017 23:22:48 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 6B27F79 for ; Thu, 31 Aug 2017 23:22:48 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id E8836C047B74; Thu, 31 Aug 2017 23:22:47 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com E8836C047B74 Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=aconole@redhat.com Received: from dhcp-25-97.bos.redhat.com (ovpn-121-92.rdu2.redhat.com [10.10.121.92]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6DADC60F8B; Thu, 31 Aug 2017 23:22:47 +0000 (UTC) From: Aaron Conole To: dev@openvswitch.org Date: Thu, 31 Aug 2017 19:22:45 -0400 Message-Id: <20170831232245.3644-4-aconole@redhat.com> In-Reply-To: <20170831232245.3644-1-aconole@redhat.com> References: <20170831232245.3644-1-aconole@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Thu, 31 Aug 2017 23:22:48 +0000 (UTC) X-Spam-Status: No, score=-5.0 required=5.0 tests=RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD autolearn=disabled version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Flavio Leitner , Ansis Atteka Subject: [ovs-dev] [PATCH v3 3/3] selinux: update policy to reflect non-root and dpdk support X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org The selinux policy that exists in the repository did not specify access to all of the resources needed for Open vSwitch to properly function with an enforcing selinux policy. This update allows Open vSwitch to operate with selinux set to Enforcing mode, even while running as a non-root user. Acked-by: Flavio Leitner Signed-off-by: Aaron Conole Tested-by: Jean Hsiao Acked-by: Ansis Atteka --- selinux/openvswitch-custom.te.in | 40 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in index 47ddb56..66cb678 100644 --- a/selinux/openvswitch-custom.te.in +++ b/selinux/openvswitch-custom.te.in @@ -2,15 +2,53 @@ module openvswitch-custom 1.0.1; require { type openvswitch_t; + type openvswitch_rw_t; type openvswitch_tmp_t; + type openvswitch_var_run_t; + type ifconfig_exec_t; type hostname_exec_t; + type tun_tap_device_t; + +@begin_dpdk@ + type hugetlbfs_t; + type kernel_t; + type svirt_image_t; + type vfio_device_t; +@end_dpdk@ + + class capability { dac_override audit_write }; + class dir { write remove_name add_name lock read }; + class file { write getattr read open execute execute_no_trans create unlink }; + class netlink_audit_socket { create nlmsg_relay audit_write read write }; class netlink_socket { setopt getopt create connect getattr write read }; - class file { write getattr read open execute execute_no_trans }; + class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom }; + +@begin_dpdk@ + class chr_file { write getattr read open ioctl }; + class tun_socket { relabelfrom relabelto create }; +@end_dpdk@ } #============= openvswitch_t ============== +allow openvswitch_t self:capability { dac_override audit_write }; +allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write }; allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read }; + allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans }; allow openvswitch_t ifconfig_exec_t:file { read getattr open execute execute_no_trans }; + +allow openvswitch_t openvswitch_rw_t:dir { write remove_name add_name lock read }; +allow openvswitch_t openvswitch_rw_t:file { write getattr read open execute execute_no_trans create unlink }; allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans }; +allow openvswitch_t openvswitch_tmp_t:unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom }; +allow openvswitch_t tun_tap_device_t:chr_file { read write getattr open ioctl }; + +@begin_dpdk@ +allow openvswitch_t hugetlbfs_t:dir { write remove_name add_name lock read }; +allow openvswitch_t hugetlbfs_t:file { create unlink }; +allow openvswitch_t kernel_t:unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom }; +allow openvswitch_t self:tun_socket { relabelfrom relabelto create }; +allow openvswitch_t svirt_image_t:file { getattr read write }; +allow openvswitch_t vfio_device_t:chr_file { read write open ioctl getattr }; +@end_dpdk@