Bug 1003717
| Summary: | openvswitch + mininet = SELinux AVCs | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jose Pedro Oliveira <jose.p.oliveira.oss> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 19 | CC: | chrisw, dominick.grift, dwalsh, fleitner, i, jose.p.oliveira.oss, lvrabec, markmc, mgrepl, tgraf |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.12.1-74.19.fc19 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-03-15 15:22:01 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Jose Pedro Oliveira
2013-09-03 01:47:48 UTC
A couple of notes about the virtual network topologies created by mininet: Virtual network topologies have the following defaults: * the controller - ovs-controller - listens on TCP/6633 * the first switch listens on TCP/6634 * the second switch listens on TCP/6635 * ... The default (minimal) topology created by "sudo mn" has: * one controller * one switch * two hosts (h1:10.10.10.1; h2:10.10.10.2) Each host is a bash process with its own IP address (network namespace) What version of selinux-policy do you have installed? Sorry! I forgot to add the selinux package info. Selinux version when the ticket was created: selinux-policy-3.12.1-73.fc19.noarch selinux-policy-targeted-3.12.1-73.fc19.noarch The problem can still be reproduced with: selinux-policy-targeted-3.12.1-74.10.fc19.noarch selinux-policy-3.12.1-74.10.fc19.noarch BTW: I have here a SRPM that builds and installs correctly in Fedora19+ [1]: http://um-pe09-2.di.uminho.pt/fedora/mininet-2.1.0-0.1.fc19.src.rpm Contents: --------- $ rpm -qpl mininet-2.1.0-0.1.fc19.src.rpm --------- 0001-Fixes-compiler-warning-implicit-declaration-of-funct.patch 0002-Fixes-compiler-warning-control-reaches-end-of-non-vo.patch mininet-2.1.0.tar.gz mininet.spec --------- Note: the two patches have already been pulled by upstream (but only after the 2.1.0 release). [1] - still need to test the python examples to see which modules have to be add to the requirements list. Reassigning to selinux-policy to update the policy. This means openvswitch can be a service listen on tcp_socket? Is port 6634 the standard port this listens on? And is 6633 a standard port it connects on? grep 6633 /etc/services cisco-vpath-tun 6633/udp # Cisco vPath Services Overlay b9e29fc187e0ef9faeee1dd9772446cb45a4d031 and 1289f030a62736f6cb75af326064533d0e659a69 fix this in git. Needs to be back ported to RHEL7, F20 and F19 Daniel Walsh, (In reply to Daniel Walsh from comment #6) > This means openvswitch can be a service listen on tcp_socket? > > Is port 6634 the standard port this listens on? > > And is 6633 a standard port it connects on? > > > grep 6633 /etc/services > cisco-vpath-tun 6633/udp # Cisco vPath Services Overlay The old the facto standard for the OpenFlow port has always been 6633/TCP. The problem is that when they contacted IANA for making it official, port 6633/UDP had already been given to Cisco, and the official OpenFlow port become 6653/TCP since 2013-07-18 (see http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=openflow). This change will cause problems to openvswitch and mininet (that uses openvswitch by default). Regarding this particular ticket: currently mininet creates topologies using the following ports: * 6633/TCP - controller * 6634/TCP - first switch * 6635/TCP - second switch * 6636/TCP - third switch * ... and so on ... A minimal topology with 1 controller and 1 switch will only require ports 6633 and 6634/TCP. More complex topologies (user defined) will require n+1 ports where n is the number of switches. /jpo back ported to F20(also RHEL7) and F19 branch. selinux-policy-3.12.1-74.19.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.19.fc19 Package selinux-policy-3.12.1-74.19.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.19.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-3030/selinux-policy-3.12.1-74.19.fc19 then log in and leave karma (feedback). Hi, mininet is in my todo list on packaging. If you have time, please help test this package when I submit it. Thank you! Christopher Meng, (In reply to Christopher Meng from comment #12) > Hi, > > mininet is in my todo list on packaging. > > If you have time, please help test this package when I submit it. .. or, instead of starting from scratch, you could help improving the mininet SRPM/specfile listed in comment #4. Note: * the two patches included in the SRPM are already upstream (just have to check if they were included in mininet 2.1.0p1) /jpo selinux-policy-3.12.1-74.19.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. |