[ovs-dev,v2,5/5] rhel: selinux-policy to invoke proper label macros
diff mbox series

Message ID 20180504182818.24299-6-aconole@redhat.com
State Superseded
Headers show
Series
  • selinux: introduce a transition domain for loading kmods
Related show

Commit Message

Aaron Conole May 4, 2018, 6:28 p.m. UTC
The rpm doesn't invoke all of the required selinux helpers to enact labeling
or relabeling on all versions of Fedora/RHEL.  According to:
  https://fedoraproject.org/wiki/SELinux/IndependentPolicy

This commit switches to use the selinux rpm macros which will ensure that
all of the labels defined in the .fc.in file are applied properly.

Acked-By: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Aaron Conole <aconole@redhat.com>
---
 rhel/openvswitch-fedora.spec.in | 10 ++++++++--
 rhel/openvswitch.spec.in        | 10 ++++++++--
 2 files changed, 16 insertions(+), 4 deletions(-)

Comments

Ansis Atteka May 15, 2018, 7:58 p.m. UTC | #1
On Fri, 4 May 2018 at 11:28, Aaron Conole <aconole@redhat.com> wrote:

> The rpm doesn't invoke all of the required selinux helpers to enact
labeling
> or relabeling on all versions of Fedora/RHEL.  According to:
>     https://fedoraproject.org/wiki/SELinux/IndependentPolicy

> This commit switches to use the selinux rpm macros which will ensure that
> all of the labels defined in the .fc.in file are applied properly.

> Acked-By: Timothy Redaelli <tredaelli@redhat.com>
> Signed-off-by: Aaron Conole <aconole@redhat.com>
Awesome work, Aaron. Thanks!

Acked-by: Ansis Atteka <aatteka@ovn.org>

FYI: While testing your patches I somehow got into strange condition where
on CentOS I ran into following error during /etc/init.d/openvswitch restart
step:

32728 execve("/sbin/modprobe", ["modprobe", "openvswitch"], [/* 22 vars
*/]) = 0
...
init_module(0x8ea250, 15901, "")  = -1 EPROTOTYPE

But probably unrelated to your patches because if it had something to do
with SElinux then it would have been EPERM error. I just redeployed the
centosbuilder with vagrant and issue went away. Mentioning in case you saw
something similar.

> ---
>    rhel/openvswitch-fedora.spec.in | 10 ++++++++--
>    rhel/openvswitch.spec.in        | 10 ++++++++--
>    2 files changed, 16 insertions(+), 4 deletions(-)

> diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/
openvswitch-fedora.spec.in
> index bf4526de2..e7d5d536d 100644
> --- a/rhel/openvswitch-fedora.spec.in
> +++ b/rhel/openvswitch-fedora.spec.in
> @@ -339,6 +339,9 @@ rm -f $RPM_BUILD_ROOT%{_bindir}/ovs-parse-backtrace \
>    %clean
>    rm -rf $RPM_BUILD_ROOT

> +%pre selinux-policy
> +%selinux_relabel_pre -s targeted
> +
>    %preun
>    %if 0%{?systemd_preun:1}
>        %systemd_preun %{name}.service
> @@ -449,7 +452,7 @@ fi
>    %endif

>    %post selinux-policy
> -/usr/sbin/semodule -i
%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || :
> +%selinux_modules_install -s targeted
%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp

>    %postun
>    %if 0%{?systemd_postun:1}
> @@ -481,9 +484,12 @@ fi

>    %postun selinux-policy
>    if [ $1 -eq 0 ] ; then
> -  /usr/sbin/semodule -r openvswitch-custom &> /dev/null || :
> +  %selinux_modules_uninstall -s targeted openvswitch-custom
>    fi

> +%posttrans selinux-policy
> +%selinux_relabel_post -s targeted
> +
>    %files selinux-policy
>    %defattr(-,root,root)
>    %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
> diff --git a/rhel/openvswitch.spec.in b/rhel/openvswitch.spec.in
> index 883d25607..9dca3873b 100644
> --- a/rhel/openvswitch.spec.in
> +++ b/rhel/openvswitch.spec.in
> @@ -169,8 +169,11 @@ fi
>    /sbin/chkconfig --add openvswitch
>    /sbin/chkconfig openvswitch on

> +%pre selinux-policy
> +%selinux_relabel_pre -s targeted
> +
>    %post selinux-policy
> -/usr/sbin/semodule -i
%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || :
> +%selinux_modules_install -s targeted
%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp

>    %preun
>    if [ "$1" = "0" ]; then     # $1 = 0 for uninstall
> @@ -187,11 +190,14 @@ fi

>    %postun selinux-policy
>    if [ $1 -eq 0 ] ; then
> -  /usr/sbin/semodule -r openvswitch-custom &> /dev/null || :
> +  %selinux_modules_uninstall -s targeted openvswitch-custom
>    fi

>    exit 0

> +%posttrans selinux-policy
> +%selinux_relabel_post -s targeted
> +
>    %files
>    %defattr(-,root,root)
>    %dir /etc/openvswitch
> --
> 2.14.3
Aaron Conole May 18, 2018, 8 p.m. UTC | #2
Ansis Atteka <ansisatteka@gmail.com> writes:

> On Fri, 4 May 2018 at 11:28, Aaron Conole <aconole@redhat.com> wrote:
>
>> The rpm doesn't invoke all of the required selinux helpers to enact
> labeling
>> or relabeling on all versions of Fedora/RHEL.  According to:
>>     https://fedoraproject.org/wiki/SELinux/IndependentPolicy
>
>> This commit switches to use the selinux rpm macros which will ensure that
>> all of the labels defined in the .fc.in file are applied properly.
>
>> Acked-By: Timothy Redaelli <tredaelli@redhat.com>
>> Signed-off-by: Aaron Conole <aconole@redhat.com>
> Awesome work, Aaron. Thanks!
>
> Acked-by: Ansis Atteka <aatteka@ovn.org>
>
> FYI: While testing your patches I somehow got into strange condition where
> on CentOS I ran into following error during /etc/init.d/openvswitch restart
> step:
>
> 32728 execve("/sbin/modprobe", ["modprobe", "openvswitch"], [/* 22 vars
> */]) = 0
> ...
> init_module(0x8ea250, 15901, "")  = -1 EPROTOTYPE
>
> But probably unrelated to your patches because if it had something to do
> with SElinux then it would have been EPERM error. I just redeployed the
> centosbuilder with vagrant and issue went away. Mentioning in case you saw
> something similar.

Thanks for the heads up.  I didn't observe this (neither CentOS, Fedora,
or RHEL).  Also, the error message is quite strange.  Kernel only emits
that error in some very specific cases (and I don't think they're
applicable).  Maybe it's an error from glibc?  Not sure.

>> ---
>>    rhel/openvswitch-fedora.spec.in | 10 ++++++++--
>>    rhel/openvswitch.spec.in        | 10 ++++++++--
>>    2 files changed, 16 insertions(+), 4 deletions(-)
>
>> diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/
> openvswitch-fedora.spec.in
>> index bf4526de2..e7d5d536d 100644
>> --- a/rhel/openvswitch-fedora.spec.in
>> +++ b/rhel/openvswitch-fedora.spec.in
>> @@ -339,6 +339,9 @@ rm -f $RPM_BUILD_ROOT%{_bindir}/ovs-parse-backtrace \
>>    %clean
>>    rm -rf $RPM_BUILD_ROOT
>
>> +%pre selinux-policy
>> +%selinux_relabel_pre -s targeted
>> +
>>    %preun
>>    %if 0%{?systemd_preun:1}
>>        %systemd_preun %{name}.service
>> @@ -449,7 +452,7 @@ fi
>>    %endif
>
>>    %post selinux-policy
>> -/usr/sbin/semodule -i
> %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || :
>> +%selinux_modules_install -s targeted
> %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
>
>>    %postun
>>    %if 0%{?systemd_postun:1}
>> @@ -481,9 +484,12 @@ fi
>
>>    %postun selinux-policy
>>    if [ $1 -eq 0 ] ; then
>> -  /usr/sbin/semodule -r openvswitch-custom &> /dev/null || :
>> +  %selinux_modules_uninstall -s targeted openvswitch-custom
>>    fi
>
>> +%posttrans selinux-policy
>> +%selinux_relabel_post -s targeted
>> +
>>    %files selinux-policy
>>    %defattr(-,root,root)
>>    %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
>> diff --git a/rhel/openvswitch.spec.in b/rhel/openvswitch.spec.in
>> index 883d25607..9dca3873b 100644
>> --- a/rhel/openvswitch.spec.in
>> +++ b/rhel/openvswitch.spec.in
>> @@ -169,8 +169,11 @@ fi
>>    /sbin/chkconfig --add openvswitch
>>    /sbin/chkconfig openvswitch on
>
>> +%pre selinux-policy
>> +%selinux_relabel_pre -s targeted
>> +
>>    %post selinux-policy
>> -/usr/sbin/semodule -i
> %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || :
>> +%selinux_modules_install -s targeted
> %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
>
>>    %preun
>>    if [ "$1" = "0" ]; then     # $1 = 0 for uninstall
>> @@ -187,11 +190,14 @@ fi
>
>>    %postun selinux-policy
>>    if [ $1 -eq 0 ] ; then
>> -  /usr/sbin/semodule -r openvswitch-custom &> /dev/null || :
>> +  %selinux_modules_uninstall -s targeted openvswitch-custom
>>    fi
>
>>    exit 0
>
>> +%posttrans selinux-policy
>> +%selinux_relabel_post -s targeted
>> +
>>    %files
>>    %defattr(-,root,root)
>>    %dir /etc/openvswitch
>> --
>> 2.14.3
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Patch
diff mbox series

diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in
index bf4526de2..e7d5d536d 100644
--- a/rhel/openvswitch-fedora.spec.in
+++ b/rhel/openvswitch-fedora.spec.in
@@ -339,6 +339,9 @@  rm -f $RPM_BUILD_ROOT%{_bindir}/ovs-parse-backtrace \
 %clean
 rm -rf $RPM_BUILD_ROOT
 
+%pre selinux-policy
+%selinux_relabel_pre -s targeted
+
 %preun
 %if 0%{?systemd_preun:1}
     %systemd_preun %{name}.service
@@ -449,7 +452,7 @@  fi
 %endif
 
 %post selinux-policy
-/usr/sbin/semodule -i %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || :
+%selinux_modules_install -s targeted %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
 
 %postun
 %if 0%{?systemd_postun:1}
@@ -481,9 +484,12 @@  fi
 
 %postun selinux-policy
 if [ $1 -eq 0 ] ; then
-  /usr/sbin/semodule -r openvswitch-custom &> /dev/null || :
+  %selinux_modules_uninstall -s targeted openvswitch-custom
 fi
 
+%posttrans selinux-policy
+%selinux_relabel_post -s targeted
+
 %files selinux-policy
 %defattr(-,root,root)
 %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
diff --git a/rhel/openvswitch.spec.in b/rhel/openvswitch.spec.in
index 883d25607..9dca3873b 100644
--- a/rhel/openvswitch.spec.in
+++ b/rhel/openvswitch.spec.in
@@ -169,8 +169,11 @@  fi
 /sbin/chkconfig --add openvswitch
 /sbin/chkconfig openvswitch on
 
+%pre selinux-policy
+%selinux_relabel_pre -s targeted
+
 %post selinux-policy
-/usr/sbin/semodule -i %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || :
+%selinux_modules_install -s targeted %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
 
 %preun
 if [ "$1" = "0" ]; then     # $1 = 0 for uninstall
@@ -187,11 +190,14 @@  fi
 
 %postun selinux-policy
 if [ $1 -eq 0 ] ; then
-  /usr/sbin/semodule -r openvswitch-custom &> /dev/null || :
+  %selinux_modules_uninstall -s targeted openvswitch-custom
 fi
 
 exit 0
 
+%posttrans selinux-policy
+%selinux_relabel_post -s targeted
+
 %files
 %defattr(-,root,root)
 %dir /etc/openvswitch