From: Aaron Conole <aconole-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
To: Ansis Atteka <ansisatteka-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Cc: "<dev-yBygre7rU0TnMu66kgdUjQ@public.gmane.org>"
<dev-yBygre7rU0TnMu66kgdUjQ@public.gmane.org>,
dev-VfR2kkLFssw@public.gmane.org
Subject: Re: [PATCH] selinux: Allow creating tap devices.
Date: Wed, 29 Mar 2017 16:03:41 -0400 [thread overview]
Message-ID: <f7tk277lujm.fsf@redhat.com> (raw)
In-Reply-To: <f7tpohqmox2.fsf-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> (Aaron Conole's message of "Thu, 09 Mar 2017 10:48:41 -0500")
Aaron Conole <aconole-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> writes:
> Aaron Conole <aconole-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> writes:
>> Daniele Di Proietto <diproiettod-pghWNbHTmq7QT0dZR+AlfA@public.gmane.org> writes:
>>> On 26/01/2017 12:35, "Ansis Atteka" <ansisatteka-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>>>>On 26 January 2017 at 21:24, Aaron Conole <aconole-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> wrote:
>>>>Daniele Di Proietto <diproiettod-pghWNbHTmq7QT0dZR+AlfA@public.gmane.org> writes:
>>>>> On 25/01/2017 00:01, "Ansis Atteka" <ansisatteka-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>>>>>>On Jan 25, 2017 4:22 AM, "Daniele Di Proietto" <diproiettod-pghWNbHTmq7QT0dZR+AlfA@public.gmane.org> wrote:
>>>>>>
>>>>>>Current SELinux policy in RHEL and Fedora doesn't allow the creation of
>>>>>>TAP devices.
>>>>>>
>>>>>>A tap device is used by dpif-netdev to create internal devices.
>>>>>>
>>>>>>Without this patch, adding any bridge backed by the userspace datapath
>>>>>>would fail.
>>>>>>
>>>>>>This doesn't mean that we can run Open vSwitch with DPDK under SELinux
>>>>>>yet, but at least we can use the userspace datapath.
>>>>>>
>>>>>>Signed-off-by: Daniele Di Proietto <diproiettod-pghWNbHTmq7QT0dZR+AlfA@public.gmane.org>
>>>>
>>>>I just noticed this, sorry for jumping in late.
>>>>
>>>>>>Acked-by: Ansis Atteka <aatteka-LZ6Gd1LRuIk@public.gmane.org>
>>>>>>
>>>>>>
>>>>>>I saw that other open source projects like OpenVPN use rw_file_perms
>>>>>> shortcut macro. Not sure how relevant that is for OVS but that macro
>>>>>> expands to a little more function calls than what you have
>>>>>> below. Maybe we don't need it, if what you have
>>>>>> just worked.
>>>>>
>>>>> Thanks a lot for the review.
>>>>>
>>>>> I cooked this up using audit2allow and I tested it on fedora 25. I'm
>>>>> now able to create and delete userspace bridges, without any further
>>>>> complaints from selinux
>>>>
>>>>I have the following openvswitch-custom.te that did work to run
>>>>ovs+dpdk under selinux and pass traffic:
I've posted a series which should allow for vfio, and vhostuser server
ports to work:
https://mail.openvswitch.org/pipermail/ovs-dev/2017-March/330333.html
-Aaron
prev parent reply other threads:[~2017-03-29 20:03 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20170125022225.28883-1-diproiettod@vmware.com>
[not found] ` <CAMQa7BgGiF+TNMxFz6Q6eW0yqLdBdJv+YvrUQkAc=+ULf5Hrdw@mail.gmail.com>
[not found] ` <1F6C7DEC-0479-4A3F-B7BE-82BAB21D6537@vmware.com>
[not found] ` <f7ttw8lwrom.fsf@redhat.com>
[not found] ` <CAMQa7Bj0PwR8MSoXqhpamqPHsfmzgXB7ZgRcPzd5-eWDfW3hLA@mail.gmail.com>
[not found] ` <0CBAA34C-3F71-4C70-8B9E-59BD00E7FF68@vmware.com>
2017-02-28 22:21 ` [ovs-dev] [PATCH] selinux: Allow creating tap devices Aaron Conole
2017-03-09 15:48 ` Aaron Conole
[not found] ` <f7tpohqmox2.fsf-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-03-29 20:03 ` Aaron Conole [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f7tk277lujm.fsf@redhat.com \
--to=aconole-h+wxahxf7alqt0dzr+alfa@public.gmane.org \
--cc=ansisatteka-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=dev-VfR2kkLFssw@public.gmane.org \
--cc=dev-yBygre7rU0TnMu66kgdUjQ@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.