[ovs-dev] [PATCH] rhel: provide our own SELinux custom policy package

Aaron Conole aconole at redhat.com
Tue Feb 16 15:33:59 UTC 2016


Thanks for this work, Ansis!

Ansis Atteka <ansisatteka at gmail.com> writes:

> From: Ansis Atteka <aatteka at nicira.com>
>
> CentOS, RHEL and Fedora distributions ship with their own Open vSwitch
> SELinux policy that is too strict and prevents Open vSwitch to work
> normally out of the box.
>
> As a solution, this patch introduces a new package which will "loosen"
> up "openvswitch_t" SELinux domain so that Open vSwitch could operate
> normally.
>
> Intended use-cases of this package are:
> 1. to allow users to install newer Open vSwitch on already released Fedora,
> RHEL and CentOS distributions where the default Open vSwitch SELinux policy
> that shipped with the corresponding Linux distribution is not up to date
> and did not anticipate that a newer Open vSwitch version might need to
> invoke new system calls or need to access certain system resources that
> it did not before; And
> 2. to provide alternative means through which Open vSwitch developers
> can proactively fix SELinux related policy issues without waiting for
> corresponding Linux distribution maintainers to update their central
> Open vSwitch SELinux policy.
>
> This patch was tested on Fedora 23 and CentOS 7. I verified that now
> on Fedora 23 Open vSwitch can create a NetLink socket; and that I did
> not see following error messages:
>
> vlog|INFO|opened log file /var/log/openvswitch/ovs-vswitchd.log
> ovs_numa|INFO|Discovered 2 CPU cores on NUMA node 0
> ovs_numa|INFO|Discovered 1 NUMA nodes and 2 CPU cores
> reconnect|INFO|unix:/var/run/openvswitch/db.sock: connecting...
> reconnect|INFO|unix:/var/run/openvswitch/db.sock: connected
> netlink_socket|ERR|fcntl: Permission denied
> dpif_netlink|ERR|Generic Netlink family 'ovs_datapath' does not exist.
>                  The Open vSwitch kernel module is p robably not loaded.
> dpif|WARN|failed to enumerate system datapaths: Permission denied
> dpif|WARN|failed to create datapath ovs-system: Permission denied
>
> I did not test all Open vSwitch features so there still could be some
> OVS configuration that would get "Permission denied" errors.
>
> Since, Open vSwitch daemons on Ubuntu 15.10 by default run under "unconfined"
> SELinux domain, then there is no need to create a similar debian package
> for Ubuntu, because it works on default Ubuntu installation.
>
> Signed-Off-By: Ansis Atteka <aatteka at nicira.com>
> ---
>  INSTALL.SELinux.md              | 166 ++++++++++++++++++++++++++++++++++++++++
>  Makefile.am                     |   2 +
>  README.md                       |   2 +
>  rhel/openvswitch-fedora.spec.in |  27 +++++++
>  selinux/automake.mk             |   9 +++
>  selinux/openvswitch-custom.te   |   9 +++
>  6 files changed, 215 insertions(+)
>  create mode 100644 INSTALL.SELinux.md
>  create mode 100644 selinux/automake.mk
>  create mode 100644 selinux/openvswitch-custom.te
>
> diff --git a/INSTALL.SELinux.md b/INSTALL.SELinux.md
> new file mode 100644
> index 0000000..dc93d6d
> --- /dev/null
> +++ b/INSTALL.SELinux.md
> @@ -0,0 +1,166 @@
> +Running Open vSwitch under SELinux
> +==================================
> +
> +Security-Enhanced Linux (SELinux) is a Linux kernel security
> +module that limits "the malicious things" that certain processes,
> +including OVS, can do to the system in case they get compromised.
> +In our case SELinux basically serves as the "second line of defense"
> +that limits the things that OVS processes are allowed to do.  The
> +"first line of defense" is proper input validation that eliminates
> +code paths that could be used by attacker to do any sort of
> +"escape attacks" (e.g. file name escape, shell escape, command
> +line argument escape, buffer escape).  Since developers don't
> +always implement proper input validation, then SELinux Access
> +Control's goal is to confine damage of such attacks, if they
> +turned out to be possible.
> +
> +Besides Type Enforcement there are other SELinux
> +features, but they are out of scope for this document.
> +
> +Currently there are two SELinux policies for Open vSwitch:
> +1. the one that ships with your Linux distribution (i.e.
> +   selinux-policy-targeted package); And
> +2. the one that ships with OVS (i.e. openvswitch-selinux-policy
> +   package).
> +
> +
> +Limitations
> +-----------
> +
> +If Open vSwitch is directly started from command line, then it
> +will run under "unconfined_t" SELinux domain that basically lets
> +daemon to do whatever it likes.  This is very important for developers
> +to understand, because they might introduced code in OVS that invokes
> +new system calls that SELinux policy did not anticipate.  This means
> +that their feature may have worked out just fine for them.  However,
> +if someone else would try to run the same code when Open vSwitch is
> +started through systemctl, then Open vSwitch would get Permission Denied
> +errors.
> +
> +Currently the only distributions that enforce SELinux on OVS by
> +default are RHEL, CentOS and Fedora.  While Ubuntu and Debian also
> +have some SELinux support, they run Open vSwitch under the unrestricted
> +"unconfined" domain.  Also, it seems that Ubuntu is leaning towards
> +Apparmor that works slightly differently than SELinux.
> +
> +SELinux and Open vSwitch are moving targets.  What this means
> +is that, if you solely rely on your Linux distribution's SELinux policy,
> +then this policy might not have correctly anticipated that a newer
> +Open vSwitch version needs extra white list rules.  However, if you
> +solely rely on SELinux policy that ships with Open vSwitch, then
> +Open vSwitch developers might not have correctly anticipated the
> +feature set that your SELinux implementation supports.
> +
> +
> +Installation
> +------------
> +
> +Refer to [INSTALL.Fedora.md] for instructions on how to build all
> +Open vSwitch rpm packages.
> +
> +Once the package is built, install it on your Linux distribution with:
> +
> +   # yum install openvswitch-selinux-policy-2.4.1-1.el7.centos.noarch.rpm
> +
> +And, then restart Open vSwitch:
> +
> +   # systemctl restart openvswitch
> +
> +
> +Troubleshooting
> +---------------
> +
> +When SELinux was implemented some of the standard system utilities
> +acquired "-Z" flag (e.g. "ps -Z", "ls -Z").  For example, to find out
> +under which SELinux security domain process runs, use:
> +
> +   # ps -AZ | grep ovs-vswitchd
> +   system_u:system_r:openvswitch_t:s0 854 ?    ovs-vswitchd
> +
> +To find out the SELinux label of file or directory, use:
> +
> +   # ls -Z /etc/openvswitch/conf.db
> +   system_u:object_r:openvswitch_rw_t:s0 /etc/openvswitch/conf.db
> +
> +
> +If, for example, SELinux policy for Open vSwitch is too strict,
> +then you might see in Open vSwitch log files "Permission Denied"
> +errors:
> +
> +    # cat /var/log/openvswitch/ovs-vswitchd.log
> +    vlog|INFO|opened log file /var/log/openvswitch/ovs-vswitchd.log
> +    ovs_numa|INFO|Discovered 2 CPU cores on NUMA node 0
> +    ovs_numa|INFO|Discovered 1 NUMA nodes and 2 CPU cores
> +    reconnect|INFO|unix:/var/run/openvswitch/db.sock: connecting...
> +    reconnect|INFO|unix:/var/run/openvswitch/db.sock: connected
> +    netlink_socket|ERR|fcntl: Permission denied
> +    dpif_netlink|ERR|Generic Netlink family 'ovs_datapath' does not exist.
> +                     The Open vSwitch kernel module is probably not loaded.
> +    dpif|WARN|failed to enumerate system datapaths: Permission denied
> +    dpif|WARN|failed to create datapath ovs-system: Permission denied
> +
> +
> +
> +However, not all "Permission denied" errors are caused by SELinux.  So,
> +before blaming too strict SELinux policy, make sure that indeed SELinux
> +was the one that denied OVS access to certain resources, for example, run:
> +
> +   # grep "openvswitch_t" /var/log/audit/audit.log | tail
> +   type=AVC msg=audit(1453235431.640:114671): avc:  denied  { getopt } for  pid=4583 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=0
> +
> +
> +If SELinux denied OVS access to certain resources, then make sure that you
> +have installed our SELinux policy package that "loosens" up distribution's
> +SELinux policy:
> +
> +   # rpm -qa | grep openvswitch-selinux
> +   openvswitch-selinux-policy-2.4.1-1.el7.centos.noarch
> +
> +And, then verify that this module was indeed loaded:
> +
> +   # semodule -l | grep openvswitch
> +   openvswitch-custom    1.0
> +   openvswitch          1.1.1
> +
> +If you still see Permission denied errors, then take a look
> +into selinux/openvswitch.te file in the OVS source tree and
> +try to add white list rules.  This is really simple, just run
> +SELinux audit2allow tool:
> +
> +   # grep "openvswitch_t" /var/log/audit/audit.log | audit2allow -M ovslocal

Should this also state to report the issue as a bug to
dev at openvswitch.org? Maybe it's out of scope? I don't know. This is good
information definitely.

> +Contributing SELinux policy patches
> +-----------------------------------
> +
> +Here are few things to consider before proposing SELinux policy
> +patches to Open vSwitch developer mailing list:
> +
> +1. The SELinux policy that resides in Open vSwitch source tree
> +   amends SELinux policy that ships with your distributions.
> +
> +   Implications of this are that it is assumed that the distribution's
> +   Open vSwitch SELinux module must be already loaded to satisfy
> +   dependencies.
> +
> +2. The SELinux policy that resides in Open vSwitch source tree
> +   must work on all currently relevant Linux distributions.
> +
> +   Implications of this are that you should use only those SELinux
> +   policy features that are supported by the lowest SELinux version
> +   out there.

Maybe there should just be an explicit version to use, which can be
bumped. Otherwise it's very difficult to figure out which version can be
used.

> +3. The SELinux policy is enforced only when state transition to
> +   openvswitch_t domain happens.
> +
> +   Implications of this are that perhaps instead of loosening SELinux
> +   policy you can do certain things at the time rpm package is installed.
> +
> +
> +
> +Reporting Bugs
> +--------------
> +
> +Please report problems to bugs at openvswitch.org.
> +
> +[INSTALL.md]:INSTALL.md
> diff --git a/Makefile.am b/Makefile.am
> index 75ccadf..a71a4d6 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -79,6 +79,7 @@ docs = \
>  	INSTALL.Libvirt.md \
>  	INSTALL.NetBSD.md \
>  	INSTALL.RHEL.md \
> +        INSTALL.SELinux.md \
>  	INSTALL.SSL.md \
>  	INSTALL.XenServer.md \
>  	INSTALL.userspace.md \
> @@ -431,3 +432,4 @@ include datapath-windows/automake.mk
>  include datapath-windows/include/automake.mk
>  include windows/automake.mk
>  include ovn/automake.mk
> +include selinux/automake.mk
> diff --git a/README.md b/README.md
> index b590928..82065c7 100644
> --- a/README.md
> +++ b/README.md
> @@ -97,6 +97,8 @@ To use Open vSwitch...
>  
>  - ...without using a kernel module, read [INSTALL.userspace.md].
>  
> +- ...with SELinux, read [INSTALL.SELinux.md].
> +
>  For answers to common questions, read [FAQ.md].
>  
>  To learn how to set up SSL support for Open vSwitch, read [INSTALL.SSL.md].
> diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in
> index 00e491b..c018370 100644
> --- a/rhel/openvswitch-fedora.spec.in
> +++ b/rhel/openvswitch-fedora.spec.in
> @@ -46,6 +46,7 @@ BuildRequires: systemd-units openssl openssl-devel
>  BuildRequires: python python-twisted-core python-zope-interface PyQt4 python-six
>  BuildRequires: desktop-file-utils
>  BuildRequires: groff graphviz
> +BuildRequires: checkpolicy, selinux-policy-devel
>  # make check dependencies
>  BuildRequires: procps-ng
>  %if %{with libcapng}
> @@ -72,6 +73,15 @@ Open vSwitch provides standard network bridging functions and
>  support for the OpenFlow protocol for remote per-flow control of
>  traffic.
>  
> +%package selinux-policy
> +Summary: Open vSwitch SELinux policy
> +License: ASL 2.0
> +BuildArch: noarch
> +Requires: selinux-policy-targeted
> +
> +%description selinux-policy
> +Tailored Open vSwitch SELinux policy
> +
>  %package -n python-openvswitch
>  Summary: Open vSwitch python bindings
>  License: ASL 2.0
> @@ -131,6 +141,8 @@ overlays and security groups.
>  	--with-pkidir=%{_sharedstatedir}/openvswitch/pki
>  
>  make %{?_smp_mflags}
> +cd selinux
> +make -f %{_datadir}/selinux/devel/Makefile
>  
>  %install
>  rm -rf $RPM_BUILD_ROOT
> @@ -172,6 +184,9 @@ install -d -m 0755 $RPM_BUILD_ROOT/%{_sharedstatedir}/openvswitch
>  touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/conf.db
>  touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/system-id.conf
>  
> +install -p -m 644 -D selinux/openvswitch-custom.pp \
> +        $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
> +
>  # remove unpackaged files
>  rm -f $RPM_BUILD_ROOT%{_bindir}/ovs-parse-backtrace \
>          $RPM_BUILD_ROOT%{_bindir}/ovs-pcap \
> @@ -245,6 +260,9 @@ rm -rf $RPM_BUILD_ROOT
>      fi
>  %endif
>  
> +%post selinux-policy
> +/usr/sbin/semodule -i %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || :
> +
>  %postun
>  %if 0%{?systemd_postun_with_restart:1}
>      %systemd_postun_with_restart %{name}.service
> @@ -271,6 +289,15 @@ rm -rf $RPM_BUILD_ROOT
>      fi
>  %endif
>  
> +%postun selinux-policy
> +if [ $1 -eq 0 ] ; then
> +  /usr/sbin/semodule -r openvswitch-custom &> /dev/null || :
> +fi
> +
> +%files selinux-policy
> +%defattr(-,root,root)
> +%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
> +
>  %files -n python-openvswitch
>  %{python_sitelib}/ovs
>  %doc COPYING
> diff --git a/selinux/automake.mk b/selinux/automake.mk
> new file mode 100644
> index 0000000..1088f36
> --- /dev/null
> +++ b/selinux/automake.mk
> @@ -0,0 +1,9 @@
> +# Copyright (C) 2016 Nicira, Inc.
> +#
> +# Copying and distribution of this file, with or without modification,
> +# are permitted in any medium without royalty provided the copyright
> +# notice and this notice are preserved.  This file is offered as-is,
> +# without warranty of any kind.
> +
> +EXTRA_DIST += \
> +        selinux/openvswitch-custom.te
> diff --git a/selinux/openvswitch-custom.te b/selinux/openvswitch-custom.te
> new file mode 100644
> index 0000000..fc32b97
> --- /dev/null
> +++ b/selinux/openvswitch-custom.te
> @@ -0,0 +1,9 @@
> +module openvswitch-custom 1.0;
> +
> +require {
> +        type openvswitch_t;
> +        class netlink_socket { setopt getopt create connect getattr write read };
> +}
> +
> +#============= openvswitch_t ==============
> +allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read };

Should any of the dpdk requirements go in at this time, or should that
be considered future work (ie: hugepage access, etc.)? I know that dpdk
will become non-experimental in the future, and before that happens this
should be known.



More information about the dev mailing list