Bug 1295250

Summary: Open vSwitch 2.5 needs new SElinux policy after introducing --user argument
Product: [Fedora] Fedora Reporter: Ansis Atteka <ansisatteka>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 23CC: dominick.grift, dwalsh, lvrabec, mgrepl, plautrba
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-158.16.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1296640 (view as bug list) Environment:
Last Closed: 2016-05-05 21:27:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ansis Atteka 2016-01-04 01:47:34 UTC 
Description of problem:

In OVS (Open vSwitch) 2.5 we are about to introduce a new feature where all ovs-* daemons would be running under "openvswitch" instead of "root" Linux user.  However, current Open vSwitch SElinux policy is too strict and does not allow to use this --user feature (see below why).



Version-Release number of selected component (if applicable):

Verified on Fedora 23 with default configuration and Open vSwitch 2.5 (from GIT repository + Patch http://openvswitch.org/pipermail/dev/2015-November/062367.html).



How reproducible:

100% of the time.



Steps to Reproduce:
1. Build Open vSwitch 2.5 with --user support (needs the patch above)
2. systemctl start openvswitch
3. observe that SElinux prevented Open vSwitch from starting up.



Actual results:

If SElinux is in enforcing mode (the default) then it prevents Open vSwitch from starting up.



Expected results:

Open vSwitch should also be able to run under SElinux enforcing mode that is being used by default.




Additional info:

I am an Open vSwitch developer and encountered this bug while testing the --user feature on Fedora and CentOS. Here is the SElinux *.te file that workarunded my issue:


module mypol 1.0;

require {
        type openvswitch_t;
        class process setcap;
        class capability { dac_override setpcap setuid setgid chown};
}

#============= openvswitch_t ==============
allow openvswitch_t self:capability { dac_override setpcap setgid chown setuid};
allow openvswitch_t self:process setcap;
Comment 1 Miroslav Grepl 2016-05-05 20:17:13 UTC 
I see these rules in the current Fedora releases.