Bug 1295250 - Open vSwitch 2.5 needs new SElinux policy after introducing --user argument
Open vSwitch 2.5 needs new SElinux policy after introducing --user argument
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
unspecified Severity high
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2016-01-03 20:47 EST by Ansis Atteka
Modified: 2016-05-05 17:27 EDT (History)
5 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-158.16.fc23
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1296640 (view as bug list)
Last Closed: 2016-05-05 17:27:27 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ansis Atteka 2016-01-03 20:47:34 EST
Description of problem:

In OVS (Open vSwitch) 2.5 we are about to introduce a new feature where all ovs-* daemons would be running under "openvswitch" instead of "root" Linux user.  However, current Open vSwitch SElinux policy is too strict and does not allow to use this --user feature (see below why).

Version-Release number of selected component (if applicable):

Verified on Fedora 23 with default configuration and Open vSwitch 2.5 (from GIT repository + Patch http://openvswitch.org/pipermail/dev/2015-November/062367.html).

How reproducible:

100% of the time.

Steps to Reproduce:
1. Build Open vSwitch 2.5 with --user support (needs the patch above)
2. systemctl start openvswitch
3. observe that SElinux prevented Open vSwitch from starting up.

Actual results:

If SElinux is in enforcing mode (the default) then it prevents Open vSwitch from starting up.

Expected results:

Open vSwitch should also be able to run under SElinux enforcing mode that is being used by default.

Additional info:

I am an Open vSwitch developer and encountered this bug while testing the --user feature on Fedora and CentOS. Here is the SElinux *.te file that workarunded my issue:

module mypol 1.0;

require {
        type openvswitch_t;
        class process setcap;
        class capability { dac_override setpcap setuid setgid chown};

#============= openvswitch_t ==============
allow openvswitch_t self:capability { dac_override setpcap setgid chown setuid};
allow openvswitch_t self:process setcap;
Comment 1 Miroslav Grepl 2016-05-05 16:17:13 EDT
I see these rules in the current Fedora releases.

Note You need to log in before you can comment on or make changes to this bug.