[ovs-dev,3/4] selinux: introduce domain transitioned kmod helper
diff mbox series

Message ID 20180320210518.9982-4-aconole@redhat.com
State Changes Requested
Headers show
Series
  • selinux: introduce a transition domain for loading kmods
Related show

Commit Message

Aaron Conole March 20, 2018, 9:05 p.m. UTC
This commit uses the previously defined selinux label to transition
from the openvswitch_t to openvswitch_load_module_t domain, by way of
a specially labelled ovs-kmod-ctl helper.

Signed-off-by: Aaron Conole <aconole@redhat.com>
---
 selinux/.gitignore               | 4 ++++
 selinux/automake.mk              | 3 ++-
 selinux/openvswitch-custom.fc.in | 1 +
 3 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 selinux/openvswitch-custom.fc.in

Comments

Ansis Atteka March 26, 2018, 9:58 p.m. UTC | #1
On 20 March 2018 at 14:05, Aaron Conole <aconole@redhat.com> wrote:
> This commit uses the previously defined selinux label to transition
> from the openvswitch_t to openvswitch_load_module_t domain, by way of
> a specially labelled ovs-kmod-ctl helper.

s/by way of a specially labelled ovs-kmod-ctl helper/ by executing
ovs-kmod-ctl that is labelled with openvswitch_load_module_exec_t
type.

>
> Signed-off-by: Aaron Conole <aconole@redhat.com>
> ---
>  selinux/.gitignore               | 4 ++++
>  selinux/automake.mk              | 3 ++-
>  selinux/openvswitch-custom.fc.in | 1 +
>  3 files changed, 7 insertions(+), 1 deletion(-)
>  create mode 100644 selinux/openvswitch-custom.fc.in
>
> diff --git a/selinux/.gitignore b/selinux/.gitignore
> index 83a0afb51..64e834cd1 100644
> --- a/selinux/.gitignore
> +++ b/selinux/.gitignore
> @@ -1 +1,5 @@
>  openvswitch-custom.te
> +openvswitch-custom.fc
> +openvswitch-custom.pp
> +openvswitch-custom.if
> +tmp/
> diff --git a/selinux/automake.mk b/selinux/automake.mk
> index b37e8f337..c7dfe6ed5 100644
> --- a/selinux/automake.mk
> +++ b/selinux/automake.mk
> @@ -6,11 +6,12 @@
>  # without warranty of any kind.
>
>  EXTRA_DIST += \
> +        selinux/openvswitch-custom.fc.in \
>          selinux/openvswitch-custom.te.in
>
>  PHONY: selinux-policy
>
> -selinux-policy: selinux/openvswitch-custom.te
> +selinux-policy: selinux/openvswitch-custom.te selinux/openvswitch-custom.fc
>         $(MAKE) -C selinux/ -f /usr/share/selinux/devel/Makefile
>
>  CLEANFILES += \
> diff --git a/selinux/openvswitch-custom.fc.in b/selinux/openvswitch-custom.fc.in
> new file mode 100644
> index 000000000..c2756d04b
> --- /dev/null
> +++ b/selinux/openvswitch-custom.fc.in
> @@ -0,0 +1 @@
> +@pkgdatadir@/scripts/ovs-kmod-ctl -- gen_context(system_u:object_r:openvswitch_load_module_exec_t,s0)

It seems that above line did now work for me on Centos 7 (at least
automatically). If you use vagrant then you can repro by:

# cd poc/builders
# vagrant up centosbuilder
# vagrant ssh centosbuilder
# cd /var/www/html/RPMS/x86_64
# install ovs rpm
# cd /var/www/html/RPMS/noarch
# install selinux rpm
# ls -Z /usr/share/openvswitch/scripts/ovs-kmod-ctl

to see it for yourself.
> --
> 2.14.3
>
Aaron Conole March 27, 2018, 1:54 p.m. UTC | #2
Ansis Atteka <ansisatteka@gmail.com> writes:

> On 20 March 2018 at 14:05, Aaron Conole <aconole@redhat.com> wrote:
>> This commit uses the previously defined selinux label to transition
>> from the openvswitch_t to openvswitch_load_module_t domain, by way of
>> a specially labelled ovs-kmod-ctl helper.
>
> s/by way of a specially labelled ovs-kmod-ctl helper/ by executing
> ovs-kmod-ctl that is labelled with openvswitch_load_module_exec_t
> type.

I like that this also eliminates a silly spelling mistake.  I'll use it.

Thanks!

>>
>> Signed-off-by: Aaron Conole <aconole@redhat.com>
>> ---
>>  selinux/.gitignore               | 4 ++++
>>  selinux/automake.mk              | 3 ++-
>>  selinux/openvswitch-custom.fc.in | 1 +
>>  3 files changed, 7 insertions(+), 1 deletion(-)
>>  create mode 100644 selinux/openvswitch-custom.fc.in
>>
>> diff --git a/selinux/.gitignore b/selinux/.gitignore
>> index 83a0afb51..64e834cd1 100644
>> --- a/selinux/.gitignore
>> +++ b/selinux/.gitignore
>> @@ -1 +1,5 @@
>>  openvswitch-custom.te
>> +openvswitch-custom.fc
>> +openvswitch-custom.pp
>> +openvswitch-custom.if
>> +tmp/
>> diff --git a/selinux/automake.mk b/selinux/automake.mk
>> index b37e8f337..c7dfe6ed5 100644
>> --- a/selinux/automake.mk
>> +++ b/selinux/automake.mk
>> @@ -6,11 +6,12 @@
>>  # without warranty of any kind.
>>
>>  EXTRA_DIST += \
>> +        selinux/openvswitch-custom.fc.in \
>>          selinux/openvswitch-custom.te.in
>>
>>  PHONY: selinux-policy
>>
>> -selinux-policy: selinux/openvswitch-custom.te
>> +selinux-policy: selinux/openvswitch-custom.te selinux/openvswitch-custom.fc
>>         $(MAKE) -C selinux/ -f /usr/share/selinux/devel/Makefile
>>
>>  CLEANFILES += \
>> diff --git a/selinux/openvswitch-custom.fc.in b/selinux/openvswitch-custom.fc.in
>> new file mode 100644
>> index 000000000..c2756d04b
>> --- /dev/null
>> +++ b/selinux/openvswitch-custom.fc.in
>> @@ -0,0 +1 @@
>> +@pkgdatadir@/scripts/ovs-kmod-ctl -- gen_context(system_u:object_r:openvswitch_load_module_exec_t,s0)
>
> It seems that above line did now work for me on Centos 7 (at least
> automatically). If you use vagrant then you can repro by:

Right, I'm not surprised.  I discovered that there needs to still be a
relabel operation.

> # cd poc/builders
> # vagrant up centosbuilder
> # vagrant ssh centosbuilder
> # cd /var/www/html/RPMS/x86_64
> # install ovs rpm
> # cd /var/www/html/RPMS/noarch
> # install selinux rpm
> # ls -Z /usr/share/openvswitch/scripts/ovs-kmod-ctl

But I wonder if it's still not functional after 4/4 - I'll look into it.

> to see it for yourself.
>> --
>> 2.14.3
>>

Patch
diff mbox series

diff --git a/selinux/.gitignore b/selinux/.gitignore
index 83a0afb51..64e834cd1 100644
--- a/selinux/.gitignore
+++ b/selinux/.gitignore
@@ -1 +1,5 @@ 
 openvswitch-custom.te
+openvswitch-custom.fc
+openvswitch-custom.pp
+openvswitch-custom.if
+tmp/
diff --git a/selinux/automake.mk b/selinux/automake.mk
index b37e8f337..c7dfe6ed5 100644
--- a/selinux/automake.mk
+++ b/selinux/automake.mk
@@ -6,11 +6,12 @@ 
 # without warranty of any kind.
 
 EXTRA_DIST += \
+        selinux/openvswitch-custom.fc.in \
         selinux/openvswitch-custom.te.in
 
 PHONY: selinux-policy
 
-selinux-policy: selinux/openvswitch-custom.te
+selinux-policy: selinux/openvswitch-custom.te selinux/openvswitch-custom.fc
 	$(MAKE) -C selinux/ -f /usr/share/selinux/devel/Makefile
 
 CLEANFILES += \
diff --git a/selinux/openvswitch-custom.fc.in b/selinux/openvswitch-custom.fc.in
new file mode 100644
index 000000000..c2756d04b
--- /dev/null
+++ b/selinux/openvswitch-custom.fc.in
@@ -0,0 +1 @@ 
+@pkgdatadir@/scripts/ovs-kmod-ctl -- gen_context(system_u:object_r:openvswitch_load_module_exec_t,s0)