[ovs-dev,4/4] rhel: selinux-policy to invoke proper label macros
diff mbox series

Message ID 20180320210518.9982-5-aconole@redhat.com
State Changes Requested
Headers show
Series
  • selinux: introduce a transition domain for loading kmods
Related show

Commit Message

Aaron Conole March 20, 2018, 9:05 p.m. UTC
The rpm doesn't invoke all of the required selinux helpers to enact labeling
or relabeling on all versions of Fedora/RHEL.  According to:
  https://fedoraproject.org/wiki/SELinux/IndependentPolicy

This commit switches to use the selinux rpm macros which will ensure that
all of the labels defined in the .fc.in file are applied properly.

Signed-off-by: Aaron Conole <aconole@redhat.com>
---
 rhel/openvswitch-fedora.spec.in | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

Comments

Ansis Atteka March 26, 2018, 10:05 p.m. UTC | #1
On 20 March 2018 at 14:05, Aaron Conole <aconole@redhat.com> wrote:
> The rpm doesn't invoke all of the required selinux helpers to enact labeling
> or relabeling on all versions of Fedora/RHEL.  According to:
>   https://fedoraproject.org/wiki/SELinux/IndependentPolicy
>
> This commit switches to use the selinux rpm macros which will ensure that
> all of the labels defined in the .fc.in file are applied properly.

Ok, it seems you need to send similar patch for
rhel/openvswitch.spec.in. Not only for fedora.

In the meantime I will later try to add fedorabuilder to the Vagrant
builder recipes and test what you have for Fedora.

Also, why was I able to reload openvswitch kernel module on CentOS
without the ovs-kmod-ctl being properly marked? Are there some rules
that we would need to remove now from openvswitch.te?

>
> Signed-off-by: Aaron Conole <aconole@redhat.com>
> ---
>  rhel/openvswitch-fedora.spec.in | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in
> index 8fbc985ce..b606cb7e0 100644
> --- a/rhel/openvswitch-fedora.spec.in
> +++ b/rhel/openvswitch-fedora.spec.in
> @@ -340,6 +340,9 @@ rm -f $RPM_BUILD_ROOT%{_bindir}/ovs-parse-backtrace \
>  %clean
>  rm -rf $RPM_BUILD_ROOT
>
> +%pre selinux-policy
> +%selinux_relabel_pre -s targeted
> +
>  %preun
>  %if 0%{?systemd_preun:1}
>      %systemd_preun %{name}.service
> @@ -444,7 +447,7 @@ fi
>  %endif
>
>  %post selinux-policy
> -/usr/sbin/semodule -i %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || :
> +%selinux_modules_install -s targeted %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
>
>  %postun
>  %if 0%{?systemd_postun:1}
> @@ -476,9 +479,12 @@ fi
>
>  %postun selinux-policy
>  if [ $1 -eq 0 ] ; then
> -  /usr/sbin/semodule -r openvswitch-custom &> /dev/null || :
> +  %selinux_modules_uninstall -s targeted openvswitch-custom
>  fi
>
> +%posttrans selinux-policy
> +%selinux_relabel_post -s targeted
> +
>  %files selinux-policy
>  %defattr(-,root,root)
>  %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
> --
> 2.14.3
>
Aaron Conole March 27, 2018, 1:55 p.m. UTC | #2
Ansis Atteka <ansisatteka@gmail.com> writes:

> On 20 March 2018 at 14:05, Aaron Conole <aconole@redhat.com> wrote:
>> The rpm doesn't invoke all of the required selinux helpers to enact labeling
>> or relabeling on all versions of Fedora/RHEL.  According to:
>>   https://fedoraproject.org/wiki/SELinux/IndependentPolicy
>>
>> This commit switches to use the selinux rpm macros which will ensure that
>> all of the labels defined in the .fc.in file are applied properly.
>
> Ok, it seems you need to send similar patch for
> rhel/openvswitch.spec.in. Not only for fedora.

Cool, will do.

> In the meantime I will later try to add fedorabuilder to the Vagrant
> builder recipes and test what you have for Fedora.

Ansis++!! Thanks!

> Also, why was I able to reload openvswitch kernel module on CentOS
> without the ovs-kmod-ctl being properly marked? Are there some rules
> that we would need to remove now from openvswitch.te?

I'm not sure.  I'm using Fedora and RHEL for my testing, and it seems
the policies/labels are a bit different.  Maybe Lukas (cc'd) knows more?

>>
>> Signed-off-by: Aaron Conole <aconole@redhat.com>
>> ---
>>  rhel/openvswitch-fedora.spec.in | 10 ++++++++--
>>  1 file changed, 8 insertions(+), 2 deletions(-)
>>
>> diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in
>> index 8fbc985ce..b606cb7e0 100644
>> --- a/rhel/openvswitch-fedora.spec.in
>> +++ b/rhel/openvswitch-fedora.spec.in
>> @@ -340,6 +340,9 @@ rm -f $RPM_BUILD_ROOT%{_bindir}/ovs-parse-backtrace \
>>  %clean
>>  rm -rf $RPM_BUILD_ROOT
>>
>> +%pre selinux-policy
>> +%selinux_relabel_pre -s targeted
>> +
>>  %preun
>>  %if 0%{?systemd_preun:1}
>>      %systemd_preun %{name}.service
>> @@ -444,7 +447,7 @@ fi
>>  %endif
>>
>>  %post selinux-policy
>> -/usr/sbin/semodule -i %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || :
>> +%selinux_modules_install -s targeted %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
>>
>>  %postun
>>  %if 0%{?systemd_postun:1}
>> @@ -476,9 +479,12 @@ fi
>>
>>  %postun selinux-policy
>>  if [ $1 -eq 0 ] ; then
>> -  /usr/sbin/semodule -r openvswitch-custom &> /dev/null || :
>> +  %selinux_modules_uninstall -s targeted openvswitch-custom
>>  fi
>>
>> +%posttrans selinux-policy
>> +%selinux_relabel_post -s targeted
>> +
>>  %files selinux-policy
>>  %defattr(-,root,root)
>>  %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
>> --
>> 2.14.3
>>
Aaron Conole April 25, 2018, 6:02 p.m. UTC | #3
Aaron Conole <aconole@redhat.com> writes:

> Ansis Atteka <ansisatteka@gmail.com> writes:
>
>> On 20 March 2018 at 14:05, Aaron Conole <aconole@redhat.com> wrote:
>>> The rpm doesn't invoke all of the required selinux helpers to enact labeling
>>> or relabeling on all versions of Fedora/RHEL.  According to:
>>>   https://fedoraproject.org/wiki/SELinux/IndependentPolicy
>>>
>>> This commit switches to use the selinux rpm macros which will ensure that
>>> all of the labels defined in the .fc.in file are applied properly.
>>
>> Ok, it seems you need to send similar patch for
>> rhel/openvswitch.spec.in. Not only for fedora.
>
> Cool, will do.
>
>> In the meantime I will later try to add fedorabuilder to the Vagrant
>> builder recipes and test what you have for Fedora.
>
> Ansis++!! Thanks!
>
>> Also, why was I able to reload openvswitch kernel module on CentOS
>> without the ovs-kmod-ctl being properly marked? Are there some rules
>> that we would need to remove now from openvswitch.te?
>
> I'm not sure.  I'm using Fedora and RHEL for my testing, and it seems
> the policies/labels are a bit different.  Maybe Lukas (cc'd) knows more?

I have an answer for this (the PoC thing works awesome for my testing,
btw - thanks again!).  Centos is based on RHEL 7.4, which also doesn't
exhibit this behavior.  I believe an upgraded selinux policy (or
possibly systemd) which uses additional contexts is causing this in rhel
7.5 and newer Fedora versions.  Once CentOS is running with the similar
bits to rhel-7.5, I think we will see this, so your point above is
correct - it needs to be there for the openvswitch.spec.in file as well.

Thanks, Ansis!  I'm re-spinning this series.

>>>
>>> Signed-off-by: Aaron Conole <aconole@redhat.com>
>>> ---
>>>  rhel/openvswitch-fedora.spec.in | 10 ++++++++--
>>>  1 file changed, 8 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in
>>> index 8fbc985ce..b606cb7e0 100644
>>> --- a/rhel/openvswitch-fedora.spec.in
>>> +++ b/rhel/openvswitch-fedora.spec.in
>>> @@ -340,6 +340,9 @@ rm -f $RPM_BUILD_ROOT%{_bindir}/ovs-parse-backtrace \
>>>  %clean
>>>  rm -rf $RPM_BUILD_ROOT
>>>
>>> +%pre selinux-policy
>>> +%selinux_relabel_pre -s targeted
>>> +
>>>  %preun
>>>  %if 0%{?systemd_preun:1}
>>>      %systemd_preun %{name}.service
>>> @@ -444,7 +447,7 @@ fi
>>>  %endif
>>>
>>>  %post selinux-policy
>>> -/usr/sbin/semodule -i %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || :
>>> +%selinux_modules_install -s targeted %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
>>>
>>>  %postun
>>>  %if 0%{?systemd_postun:1}
>>> @@ -476,9 +479,12 @@ fi
>>>
>>>  %postun selinux-policy
>>>  if [ $1 -eq 0 ] ; then
>>> -  /usr/sbin/semodule -r openvswitch-custom &> /dev/null || :
>>> +  %selinux_modules_uninstall -s targeted openvswitch-custom
>>>  fi
>>>
>>> +%posttrans selinux-policy
>>> +%selinux_relabel_post -s targeted
>>> +
>>>  %files selinux-policy
>>>  %defattr(-,root,root)
>>>  %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
>>> --
>>> 2.14.3
>>>

Patch
diff mbox series

diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in
index 8fbc985ce..b606cb7e0 100644
--- a/rhel/openvswitch-fedora.spec.in
+++ b/rhel/openvswitch-fedora.spec.in
@@ -340,6 +340,9 @@  rm -f $RPM_BUILD_ROOT%{_bindir}/ovs-parse-backtrace \
 %clean
 rm -rf $RPM_BUILD_ROOT
 
+%pre selinux-policy
+%selinux_relabel_pre -s targeted
+
 %preun
 %if 0%{?systemd_preun:1}
     %systemd_preun %{name}.service
@@ -444,7 +447,7 @@  fi
 %endif
 
 %post selinux-policy
-/usr/sbin/semodule -i %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || :
+%selinux_modules_install -s targeted %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
 
 %postun
 %if 0%{?systemd_postun:1}
@@ -476,9 +479,12 @@  fi
 
 %postun selinux-policy
 if [ $1 -eq 0 ] ; then
-  /usr/sbin/semodule -r openvswitch-custom &> /dev/null || :
+  %selinux_modules_uninstall -s targeted openvswitch-custom
 fi
 
+%posttrans selinux-policy
+%selinux_relabel_post -s targeted
+
 %files selinux-policy
 %defattr(-,root,root)
 %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp