Message ID | 20180504182818.24299-6-aconole@redhat.com |
---|---|
State | Superseded |
Headers | show |
Series | selinux: introduce a transition domain for loading kmods | expand |
On Fri, 4 May 2018 at 11:28, Aaron Conole <aconole@redhat.com> wrote: > The rpm doesn't invoke all of the required selinux helpers to enact labeling > or relabeling on all versions of Fedora/RHEL. According to: > https://fedoraproject.org/wiki/SELinux/IndependentPolicy > This commit switches to use the selinux rpm macros which will ensure that > all of the labels defined in the .fc.in file are applied properly. > Acked-By: Timothy Redaelli <tredaelli@redhat.com> > Signed-off-by: Aaron Conole <aconole@redhat.com> Awesome work, Aaron. Thanks! Acked-by: Ansis Atteka <aatteka@ovn.org> FYI: While testing your patches I somehow got into strange condition where on CentOS I ran into following error during /etc/init.d/openvswitch restart step: 32728 execve("/sbin/modprobe", ["modprobe", "openvswitch"], [/* 22 vars */]) = 0 ... init_module(0x8ea250, 15901, "") = -1 EPROTOTYPE But probably unrelated to your patches because if it had something to do with SElinux then it would have been EPERM error. I just redeployed the centosbuilder with vagrant and issue went away. Mentioning in case you saw something similar. > --- > rhel/openvswitch-fedora.spec.in | 10 ++++++++-- > rhel/openvswitch.spec.in | 10 ++++++++-- > 2 files changed, 16 insertions(+), 4 deletions(-) > diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/ openvswitch-fedora.spec.in > index bf4526de2..e7d5d536d 100644 > --- a/rhel/openvswitch-fedora.spec.in > +++ b/rhel/openvswitch-fedora.spec.in > @@ -339,6 +339,9 @@ rm -f $RPM_BUILD_ROOT%{_bindir}/ovs-parse-backtrace \ > %clean > rm -rf $RPM_BUILD_ROOT > +%pre selinux-policy > +%selinux_relabel_pre -s targeted > + > %preun > %if 0%{?systemd_preun:1} > %systemd_preun %{name}.service > @@ -449,7 +452,7 @@ fi > %endif > %post selinux-policy > -/usr/sbin/semodule -i %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || : > +%selinux_modules_install -s targeted %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp > %postun > %if 0%{?systemd_postun:1} > @@ -481,9 +484,12 @@ fi > %postun selinux-policy > if [ $1 -eq 0 ] ; then > - /usr/sbin/semodule -r openvswitch-custom &> /dev/null || : > + %selinux_modules_uninstall -s targeted openvswitch-custom > fi > +%posttrans selinux-policy > +%selinux_relabel_post -s targeted > + > %files selinux-policy > %defattr(-,root,root) > %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp > diff --git a/rhel/openvswitch.spec.in b/rhel/openvswitch.spec.in > index 883d25607..9dca3873b 100644 > --- a/rhel/openvswitch.spec.in > +++ b/rhel/openvswitch.spec.in > @@ -169,8 +169,11 @@ fi > /sbin/chkconfig --add openvswitch > /sbin/chkconfig openvswitch on > +%pre selinux-policy > +%selinux_relabel_pre -s targeted > + > %post selinux-policy > -/usr/sbin/semodule -i %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || : > +%selinux_modules_install -s targeted %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp > %preun > if [ "$1" = "0" ]; then # $1 = 0 for uninstall > @@ -187,11 +190,14 @@ fi > %postun selinux-policy > if [ $1 -eq 0 ] ; then > - /usr/sbin/semodule -r openvswitch-custom &> /dev/null || : > + %selinux_modules_uninstall -s targeted openvswitch-custom > fi > exit 0 > +%posttrans selinux-policy > +%selinux_relabel_post -s targeted > + > %files > %defattr(-,root,root) > %dir /etc/openvswitch > -- > 2.14.3
Ansis Atteka <ansisatteka@gmail.com> writes: > On Fri, 4 May 2018 at 11:28, Aaron Conole <aconole@redhat.com> wrote: > >> The rpm doesn't invoke all of the required selinux helpers to enact > labeling >> or relabeling on all versions of Fedora/RHEL. According to: >> https://fedoraproject.org/wiki/SELinux/IndependentPolicy > >> This commit switches to use the selinux rpm macros which will ensure that >> all of the labels defined in the .fc.in file are applied properly. > >> Acked-By: Timothy Redaelli <tredaelli@redhat.com> >> Signed-off-by: Aaron Conole <aconole@redhat.com> > Awesome work, Aaron. Thanks! > > Acked-by: Ansis Atteka <aatteka@ovn.org> > > FYI: While testing your patches I somehow got into strange condition where > on CentOS I ran into following error during /etc/init.d/openvswitch restart > step: > > 32728 execve("/sbin/modprobe", ["modprobe", "openvswitch"], [/* 22 vars > */]) = 0 > ... > init_module(0x8ea250, 15901, "") = -1 EPROTOTYPE > > But probably unrelated to your patches because if it had something to do > with SElinux then it would have been EPERM error. I just redeployed the > centosbuilder with vagrant and issue went away. Mentioning in case you saw > something similar. Thanks for the heads up. I didn't observe this (neither CentOS, Fedora, or RHEL). Also, the error message is quite strange. Kernel only emits that error in some very specific cases (and I don't think they're applicable). Maybe it's an error from glibc? Not sure. >> --- >> rhel/openvswitch-fedora.spec.in | 10 ++++++++-- >> rhel/openvswitch.spec.in | 10 ++++++++-- >> 2 files changed, 16 insertions(+), 4 deletions(-) > >> diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/ > openvswitch-fedora.spec.in >> index bf4526de2..e7d5d536d 100644 >> --- a/rhel/openvswitch-fedora.spec.in >> +++ b/rhel/openvswitch-fedora.spec.in >> @@ -339,6 +339,9 @@ rm -f $RPM_BUILD_ROOT%{_bindir}/ovs-parse-backtrace \ >> %clean >> rm -rf $RPM_BUILD_ROOT > >> +%pre selinux-policy >> +%selinux_relabel_pre -s targeted >> + >> %preun >> %if 0%{?systemd_preun:1} >> %systemd_preun %{name}.service >> @@ -449,7 +452,7 @@ fi >> %endif > >> %post selinux-policy >> -/usr/sbin/semodule -i > %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || : >> +%selinux_modules_install -s targeted > %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp > >> %postun >> %if 0%{?systemd_postun:1} >> @@ -481,9 +484,12 @@ fi > >> %postun selinux-policy >> if [ $1 -eq 0 ] ; then >> - /usr/sbin/semodule -r openvswitch-custom &> /dev/null || : >> + %selinux_modules_uninstall -s targeted openvswitch-custom >> fi > >> +%posttrans selinux-policy >> +%selinux_relabel_post -s targeted >> + >> %files selinux-policy >> %defattr(-,root,root) >> %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp >> diff --git a/rhel/openvswitch.spec.in b/rhel/openvswitch.spec.in >> index 883d25607..9dca3873b 100644 >> --- a/rhel/openvswitch.spec.in >> +++ b/rhel/openvswitch.spec.in >> @@ -169,8 +169,11 @@ fi >> /sbin/chkconfig --add openvswitch >> /sbin/chkconfig openvswitch on > >> +%pre selinux-policy >> +%selinux_relabel_pre -s targeted >> + >> %post selinux-policy >> -/usr/sbin/semodule -i > %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || : >> +%selinux_modules_install -s targeted > %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp > >> %preun >> if [ "$1" = "0" ]; then # $1 = 0 for uninstall >> @@ -187,11 +190,14 @@ fi > >> %postun selinux-policy >> if [ $1 -eq 0 ] ; then >> - /usr/sbin/semodule -r openvswitch-custom &> /dev/null || : >> + %selinux_modules_uninstall -s targeted openvswitch-custom >> fi > >> exit 0 > >> +%posttrans selinux-policy >> +%selinux_relabel_post -s targeted >> + >> %files >> %defattr(-,root,root) >> %dir /etc/openvswitch >> -- >> 2.14.3 > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in index bf4526de2..e7d5d536d 100644 --- a/rhel/openvswitch-fedora.spec.in +++ b/rhel/openvswitch-fedora.spec.in @@ -339,6 +339,9 @@ rm -f $RPM_BUILD_ROOT%{_bindir}/ovs-parse-backtrace \ %clean rm -rf $RPM_BUILD_ROOT +%pre selinux-policy +%selinux_relabel_pre -s targeted + %preun %if 0%{?systemd_preun:1} %systemd_preun %{name}.service @@ -449,7 +452,7 @@ fi %endif %post selinux-policy -/usr/sbin/semodule -i %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || : +%selinux_modules_install -s targeted %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp %postun %if 0%{?systemd_postun:1} @@ -481,9 +484,12 @@ fi %postun selinux-policy if [ $1 -eq 0 ] ; then - /usr/sbin/semodule -r openvswitch-custom &> /dev/null || : + %selinux_modules_uninstall -s targeted openvswitch-custom fi +%posttrans selinux-policy +%selinux_relabel_post -s targeted + %files selinux-policy %defattr(-,root,root) %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp diff --git a/rhel/openvswitch.spec.in b/rhel/openvswitch.spec.in index 883d25607..9dca3873b 100644 --- a/rhel/openvswitch.spec.in +++ b/rhel/openvswitch.spec.in @@ -169,8 +169,11 @@ fi /sbin/chkconfig --add openvswitch /sbin/chkconfig openvswitch on +%pre selinux-policy +%selinux_relabel_pre -s targeted + %post selinux-policy -/usr/sbin/semodule -i %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || : +%selinux_modules_install -s targeted %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp %preun if [ "$1" = "0" ]; then # $1 = 0 for uninstall @@ -187,11 +190,14 @@ fi %postun selinux-policy if [ $1 -eq 0 ] ; then - /usr/sbin/semodule -r openvswitch-custom &> /dev/null || : + %selinux_modules_uninstall -s targeted openvswitch-custom fi exit 0 +%posttrans selinux-policy +%selinux_relabel_post -s targeted + %files %defattr(-,root,root) %dir /etc/openvswitch