From mboxrd@z Thu Jan  1 00:00:00 1970
From: Aaron Conole <aconole-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Subject: Re: [PATCH] selinux: Allow creating tap devices.
Date: Wed, 29 Mar 2017 16:03:41 -0400
Message-ID: <f7tk277lujm.fsf@redhat.com>
References: <20170125022225.28883-1-diproiettod@vmware.com>
	<CAMQa7BgGiF+TNMxFz6Q6eW0yqLdBdJv+YvrUQkAc=+ULf5Hrdw@mail.gmail.com>
	<1F6C7DEC-0479-4A3F-B7BE-82BAB21D6537@vmware.com>
	<f7ttw8lwrom.fsf@redhat.com>
	<CAMQa7Bj0PwR8MSoXqhpamqPHsfmzgXB7ZgRcPzd5-eWDfW3hLA@mail.gmail.com>
	<0CBAA34C-3F71-4C70-8B9E-59BD00E7FF68@vmware.com>
	<f7td1e29cte.fsf@redhat.com> <f7tpohqmox2.fsf@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Cc: "<dev-yBygre7rU0TnMu66kgdUjQ@public.gmane.org>" <dev-yBygre7rU0TnMu66kgdUjQ@public.gmane.org>, dev-VfR2kkLFssw@public.gmane.org
To: Ansis Atteka <ansisatteka-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Return-path: <ovs-dev-bounces-yBygre7rU0TnMu66kgdUjQ@public.gmane.org>
In-Reply-To: <f7tpohqmox2.fsf-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> (Aaron Conole's message of "Thu, 09
	Mar 2017 10:48:41 -0500")
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
	<mailto:ovs-dev-request-yBygre7rU0TnMu66kgdUjQ@public.gmane.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev-yBygre7rU0TnMu66kgdUjQ@public.gmane.org>
List-Help: <mailto:ovs-dev-request-yBygre7rU0TnMu66kgdUjQ@public.gmane.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
	<mailto:ovs-dev-request-yBygre7rU0TnMu66kgdUjQ@public.gmane.org?subject=subscribe>
Sender: ovs-dev-bounces-yBygre7rU0TnMu66kgdUjQ@public.gmane.org
Errors-To: ovs-dev-bounces-yBygre7rU0TnMu66kgdUjQ@public.gmane.org
List-Id: dev.dpdk.org


Aaron Conole <aconole-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> writes:

> Aaron Conole <aconole-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> writes:
>> Daniele Di Proietto <diproiettod-pghWNbHTmq7QT0dZR+AlfA@public.gmane.org> writes:
>>> On 26/01/2017 12:35, "Ansis Atteka" <ansisatteka-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>>>>On 26 January 2017 at 21:24, Aaron Conole <aconole-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> wrote:
>>>>Daniele Di Proietto <diproiettod-pghWNbHTmq7QT0dZR+AlfA@public.gmane.org> writes:
>>>>> On 25/01/2017 00:01, "Ansis Atteka" <ansisatteka-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>>>>>>On Jan 25, 2017 4:22 AM, "Daniele Di Proietto" <diproiettod-pghWNbHTmq7QT0dZR+AlfA@public.gmane.org> wrote:
>>>>>>
>>>>>>Current SELinux policy in RHEL and Fedora doesn't allow the creation of
>>>>>>TAP devices.
>>>>>>
>>>>>>A tap device is used by dpif-netdev to create internal devices.
>>>>>>
>>>>>>Without this patch, adding any bridge backed by the userspace datapath
>>>>>>would fail.
>>>>>>
>>>>>>This doesn't mean that we can run Open vSwitch with DPDK under SELinux
>>>>>>yet, but at least we can use the userspace datapath.
>>>>>>
>>>>>>Signed-off-by: Daniele Di Proietto <diproiettod-pghWNbHTmq7QT0dZR+AlfA@public.gmane.org>
>>>>
>>>>I just noticed this, sorry for jumping in late.
>>>>
>>>>>>Acked-by: Ansis Atteka <aatteka-LZ6Gd1LRuIk@public.gmane.org>
>>>>>>
>>>>>>
>>>>>>I saw that other open source projects like OpenVPN use rw_file_perms
>>>>>> shortcut macro. Not sure how relevant that is for OVS but that macro
>>>>>> expands to a little more function calls than what you have
>>>>>> below. Maybe we don't need it, if what you have
>>>>>> just worked.
>>>>>
>>>>> Thanks a lot for the review.
>>>>>
>>>>> I cooked this up using audit2allow and I tested it on fedora 25.  I'm
>>>>> now able to create and delete userspace bridges, without any further
>>>>> complaints from selinux
>>>>
>>>>I have the following openvswitch-custom.te that did work to run
>>>>ovs+dpdk under selinux and pass traffic:

I've posted a series which should allow for vfio, and vhostuser server
ports to work:

  https://mail.openvswitch.org/pipermail/ovs-dev/2017-March/330333.html

-Aaron