Description of problem:

In OVS (Open vSwitch) 2.5 we are about to introduce a new feature where all ovs-* daemons would be running under "openvswitch" instead of "root" Linux user.  However, current Open vSwitch SElinux policy is too strict and does not allow to use this --user feature (see below why).



Version-Release number of selected component (if applicable):

Verified on Fedora 23 with default configuration and Open vSwitch 2.5 (from GIT repository + Patch http://openvswitch.org/pipermail/dev/2015-November/062367.html).



How reproducible:

100% of the time.



Steps to Reproduce:
1. Build Open vSwitch 2.5 with --user support (needs the patch above)
2. systemctl start openvswitch
3. observe that SElinux prevented Open vSwitch from starting up.



Actual results:

If SElinux is in enforcing mode (the default) then it prevents Open vSwitch from starting up.



Expected results:

Open vSwitch should also be able to run under SElinux enforcing mode that is being used by default.




Additional info:

I am an Open vSwitch developer and encountered this bug while testing the --user feature on Fedora and CentOS. Here is the SElinux *.te file that workarunded my issue:


module mypol 1.0;

require {
        type openvswitch_t;
        class process setcap;
        class capability { dac_override setpcap setuid setgid chown};
}

#============= openvswitch_t ==============
allow openvswitch_t self:capability { dac_override setpcap setgid chown setuid};
allow openvswitch_t self:process setcap;