Message ID | 20180320210518.9982-4-aconole@redhat.com |
---|---|
State | Changes Requested |
Headers | show |
Series | selinux: introduce a transition domain for loading kmods | expand |
On 20 March 2018 at 14:05, Aaron Conole <aconole@redhat.com> wrote: > This commit uses the previously defined selinux label to transition > from the openvswitch_t to openvswitch_load_module_t domain, by way of > a specially labelled ovs-kmod-ctl helper. s/by way of a specially labelled ovs-kmod-ctl helper/ by executing ovs-kmod-ctl that is labelled with openvswitch_load_module_exec_t type. > > Signed-off-by: Aaron Conole <aconole@redhat.com> > --- > selinux/.gitignore | 4 ++++ > selinux/automake.mk | 3 ++- > selinux/openvswitch-custom.fc.in | 1 + > 3 files changed, 7 insertions(+), 1 deletion(-) > create mode 100644 selinux/openvswitch-custom.fc.in > > diff --git a/selinux/.gitignore b/selinux/.gitignore > index 83a0afb51..64e834cd1 100644 > --- a/selinux/.gitignore > +++ b/selinux/.gitignore > @@ -1 +1,5 @@ > openvswitch-custom.te > +openvswitch-custom.fc > +openvswitch-custom.pp > +openvswitch-custom.if > +tmp/ > diff --git a/selinux/automake.mk b/selinux/automake.mk > index b37e8f337..c7dfe6ed5 100644 > --- a/selinux/automake.mk > +++ b/selinux/automake.mk > @@ -6,11 +6,12 @@ > # without warranty of any kind. > > EXTRA_DIST += \ > + selinux/openvswitch-custom.fc.in \ > selinux/openvswitch-custom.te.in > > PHONY: selinux-policy > > -selinux-policy: selinux/openvswitch-custom.te > +selinux-policy: selinux/openvswitch-custom.te selinux/openvswitch-custom.fc > $(MAKE) -C selinux/ -f /usr/share/selinux/devel/Makefile > > CLEANFILES += \ > diff --git a/selinux/openvswitch-custom.fc.in b/selinux/openvswitch-custom.fc.in > new file mode 100644 > index 000000000..c2756d04b > --- /dev/null > +++ b/selinux/openvswitch-custom.fc.in > @@ -0,0 +1 @@ > +@pkgdatadir@/scripts/ovs-kmod-ctl -- gen_context(system_u:object_r:openvswitch_load_module_exec_t,s0) It seems that above line did now work for me on Centos 7 (at least automatically). If you use vagrant then you can repro by: # cd poc/builders # vagrant up centosbuilder # vagrant ssh centosbuilder # cd /var/www/html/RPMS/x86_64 # install ovs rpm # cd /var/www/html/RPMS/noarch # install selinux rpm # ls -Z /usr/share/openvswitch/scripts/ovs-kmod-ctl to see it for yourself. > -- > 2.14.3 >
Ansis Atteka <ansisatteka@gmail.com> writes: > On 20 March 2018 at 14:05, Aaron Conole <aconole@redhat.com> wrote: >> This commit uses the previously defined selinux label to transition >> from the openvswitch_t to openvswitch_load_module_t domain, by way of >> a specially labelled ovs-kmod-ctl helper. > > s/by way of a specially labelled ovs-kmod-ctl helper/ by executing > ovs-kmod-ctl that is labelled with openvswitch_load_module_exec_t > type. I like that this also eliminates a silly spelling mistake. I'll use it. Thanks! >> >> Signed-off-by: Aaron Conole <aconole@redhat.com> >> --- >> selinux/.gitignore | 4 ++++ >> selinux/automake.mk | 3 ++- >> selinux/openvswitch-custom.fc.in | 1 + >> 3 files changed, 7 insertions(+), 1 deletion(-) >> create mode 100644 selinux/openvswitch-custom.fc.in >> >> diff --git a/selinux/.gitignore b/selinux/.gitignore >> index 83a0afb51..64e834cd1 100644 >> --- a/selinux/.gitignore >> +++ b/selinux/.gitignore >> @@ -1 +1,5 @@ >> openvswitch-custom.te >> +openvswitch-custom.fc >> +openvswitch-custom.pp >> +openvswitch-custom.if >> +tmp/ >> diff --git a/selinux/automake.mk b/selinux/automake.mk >> index b37e8f337..c7dfe6ed5 100644 >> --- a/selinux/automake.mk >> +++ b/selinux/automake.mk >> @@ -6,11 +6,12 @@ >> # without warranty of any kind. >> >> EXTRA_DIST += \ >> + selinux/openvswitch-custom.fc.in \ >> selinux/openvswitch-custom.te.in >> >> PHONY: selinux-policy >> >> -selinux-policy: selinux/openvswitch-custom.te >> +selinux-policy: selinux/openvswitch-custom.te selinux/openvswitch-custom.fc >> $(MAKE) -C selinux/ -f /usr/share/selinux/devel/Makefile >> >> CLEANFILES += \ >> diff --git a/selinux/openvswitch-custom.fc.in b/selinux/openvswitch-custom.fc.in >> new file mode 100644 >> index 000000000..c2756d04b >> --- /dev/null >> +++ b/selinux/openvswitch-custom.fc.in >> @@ -0,0 +1 @@ >> +@pkgdatadir@/scripts/ovs-kmod-ctl -- gen_context(system_u:object_r:openvswitch_load_module_exec_t,s0) > > It seems that above line did now work for me on Centos 7 (at least > automatically). If you use vagrant then you can repro by: Right, I'm not surprised. I discovered that there needs to still be a relabel operation. > # cd poc/builders > # vagrant up centosbuilder > # vagrant ssh centosbuilder > # cd /var/www/html/RPMS/x86_64 > # install ovs rpm > # cd /var/www/html/RPMS/noarch > # install selinux rpm > # ls -Z /usr/share/openvswitch/scripts/ovs-kmod-ctl But I wonder if it's still not functional after 4/4 - I'll look into it. > to see it for yourself. >> -- >> 2.14.3 >>
diff --git a/selinux/.gitignore b/selinux/.gitignore index 83a0afb51..64e834cd1 100644 --- a/selinux/.gitignore +++ b/selinux/.gitignore @@ -1 +1,5 @@ openvswitch-custom.te +openvswitch-custom.fc +openvswitch-custom.pp +openvswitch-custom.if +tmp/ diff --git a/selinux/automake.mk b/selinux/automake.mk index b37e8f337..c7dfe6ed5 100644 --- a/selinux/automake.mk +++ b/selinux/automake.mk @@ -6,11 +6,12 @@ # without warranty of any kind. EXTRA_DIST += \ + selinux/openvswitch-custom.fc.in \ selinux/openvswitch-custom.te.in PHONY: selinux-policy -selinux-policy: selinux/openvswitch-custom.te +selinux-policy: selinux/openvswitch-custom.te selinux/openvswitch-custom.fc $(MAKE) -C selinux/ -f /usr/share/selinux/devel/Makefile CLEANFILES += \ diff --git a/selinux/openvswitch-custom.fc.in b/selinux/openvswitch-custom.fc.in new file mode 100644 index 000000000..c2756d04b --- /dev/null +++ b/selinux/openvswitch-custom.fc.in @@ -0,0 +1 @@ +@pkgdatadir@/scripts/ovs-kmod-ctl -- gen_context(system_u:object_r:openvswitch_load_module_exec_t,s0)
This commit uses the previously defined selinux label to transition from the openvswitch_t to openvswitch_load_module_t domain, by way of a specially labelled ovs-kmod-ctl helper. Signed-off-by: Aaron Conole <aconole@redhat.com> --- selinux/.gitignore | 4 ++++ selinux/automake.mk | 3 ++- selinux/openvswitch-custom.fc.in | 1 + 3 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 selinux/openvswitch-custom.fc.in