Bug 845417

Summary: Add SELinux policy for openvswitch daemons
Product: Red Hat Enterprise Linux 6 Reporter: Cong Wang <amwang>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Michal Trunecka <mtruneck>
Severity: medium Docs Contact:
Priority: high    
Version: 6.3CC: dwalsh, ebenes, mmalik, mtruneck, rkhan, tgraf
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-175.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 08:27:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 805652    
Bug Blocks:    

Description Cong Wang 2012-08-03 03:07:14 UTC 
Description of problem:

Openvswitch service starts the following daemons:

    * ovs-vswitchd, a daemon that implements the switch, along with 
      a companion Linux kernel module for flow-based switching.

    * ovsdb-server, a lightweight database server that ovs-vswitchd
      queries to obtain its configuration.

    * ovs-brcompatd, a daemon that allows ovs-vswitchd to act as a
      drop-in replacement for the Linux bridge in many environments, 
      along with a companion Linux kernel module to intercept bridge 
      ioctls.

All of them need policy.

Additional info:

See also "Overview of functionality and components":

http://openvswitch.org/cgi-bin/gitweb.cgi?p=openvswitch;a=blob_plain;f=README;hb=HEAD
Comment 2 Milos Malik 2012-08-03 08:16:11 UTC 
Are the daemons you talk about related to quantum-openswitch-agent service ?

# rpm -qa selinux-policy\*
selinux-policy-minimum-3.7.19-155.el6_3.noarch
selinux-policy-mls-3.7.19-155.el6_3.noarch
selinux-policy-targeted-3.7.19-155.el6_3.noarch
selinux-policy-doc-3.7.19-155.el6_3.noarch
selinux-policy-3.7.19-155.el6_3.noarch
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
# service quantum-openvswitch-agent status
quantum-openvswitch-agent is stopped
# service quantum-openvswitch-agent start
Starting quantum-openvswitch-agent:                        [  OK  ]
# service quantum-openvswitch-agent status
quantum-openvswitch-agent (pid  2199) is running...
# ps -efZ | grep switch
unconfined_u:system_r:quantum_t:s0 quantum 2199    1  5 10:09 ?        00:00:00 python /usr/bin/quantum-openvswitch-agent /etc/quantum/plugins/openvswitch/ovs_quantum_plugin.ini
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2225 2045  0 10:09 pts/0 00:00:00 grep switch
# service quantum-openvswitch-agent stop
Stopping quantum-openvswitch-agent:                        [  OK  ]
# service quantum-openvswitch-agent status
quantum-openvswitch-agent is stopped
#
Comment 3 Miroslav Grepl 2012-08-03 08:26:37 UTC 
We have this policy in RHEL7/Fedora.

quantum.fc:/usr/bin/quantum-openvswitch-agent	--	gen_context(system_u:object_r:quantum_exec_t,s0)
Comment 4 Cong Wang 2012-08-03 08:39:16 UTC 
It looks like quantum-openvswitch-agent is a quantum plugin for openvswitch? I am not a virt people, so know very little about openstack.
Comment 5 Michal Trunecka 2012-09-21 08:00:14 UTC 
Cong, is there any openvswitch RPM available to install on RHEL6 or is it recommended to be installed from tar.gz?
Comment 6 Cong Wang 2012-09-21 08:25:23 UTC 
RPM package is not available yet, you need to build it from spec file. You can find it here:

http://git.engineering.redhat.com/?p=users/tgraf/openvswitch-rhel6.git
Comment 8 Miroslav Grepl 2012-10-15 18:26:55 UTC 
Is already the package available from brew?
Comment 9 Cong Wang 2012-10-16 02:19:07 UTC 
Try the RPM from Thomas:
http://file.bos.redhat.com/tgraf/openvswitch/
Comment 10 Miroslav Grepl 2012-10-23 11:07:55 UTC 
I added an intial openvswitch policy to selinux-policy-3.7.19-175.el6

How to test.

1. install these builds
2. semodule -d unconfined
3. setenforce 0
4. re-test it
5. ausearch -m avc > /tmp/openvswitch.log

and attach this log. Thank you.

6. semodule -e unconfined
7. setenforce 1
Comment 14 errata-xmlrpc 2013-02-21 08:27:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html