From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by dpdk.org (Postfix) with ESMTP id 692ABD11D for ; Wed, 29 Mar 2017 22:03:44 +0200 (CEST) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 6CDF8F44F8; Wed, 29 Mar 2017 20:03:43 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 6CDF8F44F8 Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=aconole@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 6CDF8F44F8 Received: from dhcp-25-97.bos.redhat.com (unknown [10.18.25.172]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E6E4A96EA7; Wed, 29 Mar 2017 20:03:42 +0000 (UTC) From: Aaron Conole To: Ansis Atteka Cc: "\" , dev@dpdk.org References: <20170125022225.28883-1-diproiettod@vmware.com> <1F6C7DEC-0479-4A3F-B7BE-82BAB21D6537@vmware.com> <0CBAA34C-3F71-4C70-8B9E-59BD00E7FF68@vmware.com> Date: Wed, 29 Mar 2017 16:03:41 -0400 In-Reply-To: (Aaron Conole's message of "Thu, 09 Mar 2017 10:48:41 -0500") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Wed, 29 Mar 2017 20:03:43 +0000 (UTC) Subject: Re: [dpdk-dev] [ovs-dev] [PATCH] selinux: Allow creating tap devices. X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Mar 2017 20:03:44 -0000 Aaron Conole writes: > Aaron Conole writes: >> Daniele Di Proietto writes: >>> On 26/01/2017 12:35, "Ansis Atteka" wrote: >>>>On 26 January 2017 at 21:24, Aaron Conole wrote: >>>>Daniele Di Proietto writes: >>>>> On 25/01/2017 00:01, "Ansis Atteka" wrote: >>>>>>On Jan 25, 2017 4:22 AM, "Daniele Di Proietto" wrote: >>>>>> >>>>>>Current SELinux policy in RHEL and Fedora doesn't allow the creation of >>>>>>TAP devices. >>>>>> >>>>>>A tap device is used by dpif-netdev to create internal devices. >>>>>> >>>>>>Without this patch, adding any bridge backed by the userspace datapath >>>>>>would fail. >>>>>> >>>>>>This doesn't mean that we can run Open vSwitch with DPDK under SELinux >>>>>>yet, but at least we can use the userspace datapath. >>>>>> >>>>>>Signed-off-by: Daniele Di Proietto >>>> >>>>I just noticed this, sorry for jumping in late. >>>> >>>>>>Acked-by: Ansis Atteka >>>>>> >>>>>> >>>>>>I saw that other open source projects like OpenVPN use rw_file_perms >>>>>> shortcut macro. Not sure how relevant that is for OVS but that macro >>>>>> expands to a little more function calls than what you have >>>>>> below. Maybe we don't need it, if what you have >>>>>> just worked. >>>>> >>>>> Thanks a lot for the review. >>>>> >>>>> I cooked this up using audit2allow and I tested it on fedora 25. I'm >>>>> now able to create and delete userspace bridges, without any further >>>>> complaints from selinux >>>> >>>>I have the following openvswitch-custom.te that did work to run >>>>ovs+dpdk under selinux and pass traffic: I've posted a series which should allow for vfio, and vhostuser server ports to work: https://mail.openvswitch.org/pipermail/ovs-dev/2017-March/330333.html -Aaron