[ovs-dev] [PATCH] rhel: provide our own SELinux custom policy package
Aaron Conole
aconole at redhat.com
Tue Feb 16 15:33:59 UTC 2016
Thanks for this work, Ansis!
Ansis Atteka <ansisatteka at gmail.com> writes:
> From: Ansis Atteka <aatteka at nicira.com>
>
> CentOS, RHEL and Fedora distributions ship with their own Open vSwitch
> SELinux policy that is too strict and prevents Open vSwitch to work
> normally out of the box.
>
> As a solution, this patch introduces a new package which will "loosen"
> up "openvswitch_t" SELinux domain so that Open vSwitch could operate
> normally.
>
> Intended use-cases of this package are:
> 1. to allow users to install newer Open vSwitch on already released Fedora,
> RHEL and CentOS distributions where the default Open vSwitch SELinux policy
> that shipped with the corresponding Linux distribution is not up to date
> and did not anticipate that a newer Open vSwitch version might need to
> invoke new system calls or need to access certain system resources that
> it did not before; And
> 2. to provide alternative means through which Open vSwitch developers
> can proactively fix SELinux related policy issues without waiting for
> corresponding Linux distribution maintainers to update their central
> Open vSwitch SELinux policy.
>
> This patch was tested on Fedora 23 and CentOS 7. I verified that now
> on Fedora 23 Open vSwitch can create a NetLink socket; and that I did
> not see following error messages:
>
> vlog|INFO|opened log file /var/log/openvswitch/ovs-vswitchd.log
> ovs_numa|INFO|Discovered 2 CPU cores on NUMA node 0
> ovs_numa|INFO|Discovered 1 NUMA nodes and 2 CPU cores
> reconnect|INFO|unix:/var/run/openvswitch/db.sock: connecting...
> reconnect|INFO|unix:/var/run/openvswitch/db.sock: connected
> netlink_socket|ERR|fcntl: Permission denied
> dpif_netlink|ERR|Generic Netlink family 'ovs_datapath' does not exist.
> The Open vSwitch kernel module is p robably not loaded.
> dpif|WARN|failed to enumerate system datapaths: Permission denied
> dpif|WARN|failed to create datapath ovs-system: Permission denied
>
> I did not test all Open vSwitch features so there still could be some
> OVS configuration that would get "Permission denied" errors.
>
> Since, Open vSwitch daemons on Ubuntu 15.10 by default run under "unconfined"
> SELinux domain, then there is no need to create a similar debian package
> for Ubuntu, because it works on default Ubuntu installation.
>
> Signed-Off-By: Ansis Atteka <aatteka at nicira.com>
> ---
> INSTALL.SELinux.md | 166 ++++++++++++++++++++++++++++++++++++++++
> Makefile.am | 2 +
> README.md | 2 +
> rhel/openvswitch-fedora.spec.in | 27 +++++++
> selinux/automake.mk | 9 +++
> selinux/openvswitch-custom.te | 9 +++
> 6 files changed, 215 insertions(+)
> create mode 100644 INSTALL.SELinux.md
> create mode 100644 selinux/automake.mk
> create mode 100644 selinux/openvswitch-custom.te
>
> diff --git a/INSTALL.SELinux.md b/INSTALL.SELinux.md
> new file mode 100644
> index 0000000..dc93d6d
> --- /dev/null
> +++ b/INSTALL.SELinux.md
> @@ -0,0 +1,166 @@
> +Running Open vSwitch under SELinux
> +==================================
> +
> +Security-Enhanced Linux (SELinux) is a Linux kernel security
> +module that limits "the malicious things" that certain processes,
> +including OVS, can do to the system in case they get compromised.
> +In our case SELinux basically serves as the "second line of defense"
> +that limits the things that OVS processes are allowed to do. The
> +"first line of defense" is proper input validation that eliminates
> +code paths that could be used by attacker to do any sort of
> +"escape attacks" (e.g. file name escape, shell escape, command
> +line argument escape, buffer escape). Since developers don't
> +always implement proper input validation, then SELinux Access
> +Control's goal is to confine damage of such attacks, if they
> +turned out to be possible.
> +
> +Besides Type Enforcement there are other SELinux
> +features, but they are out of scope for this document.
> +
> +Currently there are two SELinux policies for Open vSwitch:
> +1. the one that ships with your Linux distribution (i.e.
> + selinux-policy-targeted package); And
> +2. the one that ships with OVS (i.e. openvswitch-selinux-policy
> + package).
> +
> +
> +Limitations
> +-----------
> +
> +If Open vSwitch is directly started from command line, then it
> +will run under "unconfined_t" SELinux domain that basically lets
> +daemon to do whatever it likes. This is very important for developers
> +to understand, because they might introduced code in OVS that invokes
> +new system calls that SELinux policy did not anticipate. This means
> +that their feature may have worked out just fine for them. However,
> +if someone else would try to run the same code when Open vSwitch is
> +started through systemctl, then Open vSwitch would get Permission Denied
> +errors.
> +
> +Currently the only distributions that enforce SELinux on OVS by
> +default are RHEL, CentOS and Fedora. While Ubuntu and Debian also
> +have some SELinux support, they run Open vSwitch under the unrestricted
> +"unconfined" domain. Also, it seems that Ubuntu is leaning towards
> +Apparmor that works slightly differently than SELinux.
> +
> +SELinux and Open vSwitch are moving targets. What this means
> +is that, if you solely rely on your Linux distribution's SELinux policy,
> +then this policy might not have correctly anticipated that a newer
> +Open vSwitch version needs extra white list rules. However, if you
> +solely rely on SELinux policy that ships with Open vSwitch, then
> +Open vSwitch developers might not have correctly anticipated the
> +feature set that your SELinux implementation supports.
> +
> +
> +Installation
> +------------
> +
> +Refer to [INSTALL.Fedora.md] for instructions on how to build all
> +Open vSwitch rpm packages.
> +
> +Once the package is built, install it on your Linux distribution with:
> +
> + # yum install openvswitch-selinux-policy-2.4.1-1.el7.centos.noarch.rpm
> +
> +And, then restart Open vSwitch:
> +
> + # systemctl restart openvswitch
> +
> +
> +Troubleshooting
> +---------------
> +
> +When SELinux was implemented some of the standard system utilities
> +acquired "-Z" flag (e.g. "ps -Z", "ls -Z"). For example, to find out
> +under which SELinux security domain process runs, use:
> +
> + # ps -AZ | grep ovs-vswitchd
> + system_u:system_r:openvswitch_t:s0 854 ? ovs-vswitchd
> +
> +To find out the SELinux label of file or directory, use:
> +
> + # ls -Z /etc/openvswitch/conf.db
> + system_u:object_r:openvswitch_rw_t:s0 /etc/openvswitch/conf.db
> +
> +
> +If, for example, SELinux policy for Open vSwitch is too strict,
> +then you might see in Open vSwitch log files "Permission Denied"
> +errors:
> +
> + # cat /var/log/openvswitch/ovs-vswitchd.log
> + vlog|INFO|opened log file /var/log/openvswitch/ovs-vswitchd.log
> + ovs_numa|INFO|Discovered 2 CPU cores on NUMA node 0
> + ovs_numa|INFO|Discovered 1 NUMA nodes and 2 CPU cores
> + reconnect|INFO|unix:/var/run/openvswitch/db.sock: connecting...
> + reconnect|INFO|unix:/var/run/openvswitch/db.sock: connected
> + netlink_socket|ERR|fcntl: Permission denied
> + dpif_netlink|ERR|Generic Netlink family 'ovs_datapath' does not exist.
> + The Open vSwitch kernel module is probably not loaded.
> + dpif|WARN|failed to enumerate system datapaths: Permission denied
> + dpif|WARN|failed to create datapath ovs-system: Permission denied
> +
> +
> +
> +However, not all "Permission denied" errors are caused by SELinux. So,
> +before blaming too strict SELinux policy, make sure that indeed SELinux
> +was the one that denied OVS access to certain resources, for example, run:
> +
> + # grep "openvswitch_t" /var/log/audit/audit.log | tail
> + type=AVC msg=audit(1453235431.640:114671): avc: denied { getopt } for pid=4583 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=0
> +
> +
> +If SELinux denied OVS access to certain resources, then make sure that you
> +have installed our SELinux policy package that "loosens" up distribution's
> +SELinux policy:
> +
> + # rpm -qa | grep openvswitch-selinux
> + openvswitch-selinux-policy-2.4.1-1.el7.centos.noarch
> +
> +And, then verify that this module was indeed loaded:
> +
> + # semodule -l | grep openvswitch
> + openvswitch-custom 1.0
> + openvswitch 1.1.1
> +
> +If you still see Permission denied errors, then take a look
> +into selinux/openvswitch.te file in the OVS source tree and
> +try to add white list rules. This is really simple, just run
> +SELinux audit2allow tool:
> +
> + # grep "openvswitch_t" /var/log/audit/audit.log | audit2allow -M ovslocal
Should this also state to report the issue as a bug to
dev at openvswitch.org? Maybe it's out of scope? I don't know. This is good
information definitely.
> +Contributing SELinux policy patches
> +-----------------------------------
> +
> +Here are few things to consider before proposing SELinux policy
> +patches to Open vSwitch developer mailing list:
> +
> +1. The SELinux policy that resides in Open vSwitch source tree
> + amends SELinux policy that ships with your distributions.
> +
> + Implications of this are that it is assumed that the distribution's
> + Open vSwitch SELinux module must be already loaded to satisfy
> + dependencies.
> +
> +2. The SELinux policy that resides in Open vSwitch source tree
> + must work on all currently relevant Linux distributions.
> +
> + Implications of this are that you should use only those SELinux
> + policy features that are supported by the lowest SELinux version
> + out there.
Maybe there should just be an explicit version to use, which can be
bumped. Otherwise it's very difficult to figure out which version can be
used.
> +3. The SELinux policy is enforced only when state transition to
> + openvswitch_t domain happens.
> +
> + Implications of this are that perhaps instead of loosening SELinux
> + policy you can do certain things at the time rpm package is installed.
> +
> +
> +
> +Reporting Bugs
> +--------------
> +
> +Please report problems to bugs at openvswitch.org.
> +
> +[INSTALL.md]:INSTALL.md
> diff --git a/Makefile.am b/Makefile.am
> index 75ccadf..a71a4d6 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -79,6 +79,7 @@ docs = \
> INSTALL.Libvirt.md \
> INSTALL.NetBSD.md \
> INSTALL.RHEL.md \
> + INSTALL.SELinux.md \
> INSTALL.SSL.md \
> INSTALL.XenServer.md \
> INSTALL.userspace.md \
> @@ -431,3 +432,4 @@ include datapath-windows/automake.mk
> include datapath-windows/include/automake.mk
> include windows/automake.mk
> include ovn/automake.mk
> +include selinux/automake.mk
> diff --git a/README.md b/README.md
> index b590928..82065c7 100644
> --- a/README.md
> +++ b/README.md
> @@ -97,6 +97,8 @@ To use Open vSwitch...
>
> - ...without using a kernel module, read [INSTALL.userspace.md].
>
> +- ...with SELinux, read [INSTALL.SELinux.md].
> +
> For answers to common questions, read [FAQ.md].
>
> To learn how to set up SSL support for Open vSwitch, read [INSTALL.SSL.md].
> diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in
> index 00e491b..c018370 100644
> --- a/rhel/openvswitch-fedora.spec.in
> +++ b/rhel/openvswitch-fedora.spec.in
> @@ -46,6 +46,7 @@ BuildRequires: systemd-units openssl openssl-devel
> BuildRequires: python python-twisted-core python-zope-interface PyQt4 python-six
> BuildRequires: desktop-file-utils
> BuildRequires: groff graphviz
> +BuildRequires: checkpolicy, selinux-policy-devel
> # make check dependencies
> BuildRequires: procps-ng
> %if %{with libcapng}
> @@ -72,6 +73,15 @@ Open vSwitch provides standard network bridging functions and
> support for the OpenFlow protocol for remote per-flow control of
> traffic.
>
> +%package selinux-policy
> +Summary: Open vSwitch SELinux policy
> +License: ASL 2.0
> +BuildArch: noarch
> +Requires: selinux-policy-targeted
> +
> +%description selinux-policy
> +Tailored Open vSwitch SELinux policy
> +
> %package -n python-openvswitch
> Summary: Open vSwitch python bindings
> License: ASL 2.0
> @@ -131,6 +141,8 @@ overlays and security groups.
> --with-pkidir=%{_sharedstatedir}/openvswitch/pki
>
> make %{?_smp_mflags}
> +cd selinux
> +make -f %{_datadir}/selinux/devel/Makefile
>
> %install
> rm -rf $RPM_BUILD_ROOT
> @@ -172,6 +184,9 @@ install -d -m 0755 $RPM_BUILD_ROOT/%{_sharedstatedir}/openvswitch
> touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/conf.db
> touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/system-id.conf
>
> +install -p -m 644 -D selinux/openvswitch-custom.pp \
> + $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
> +
> # remove unpackaged files
> rm -f $RPM_BUILD_ROOT%{_bindir}/ovs-parse-backtrace \
> $RPM_BUILD_ROOT%{_bindir}/ovs-pcap \
> @@ -245,6 +260,9 @@ rm -rf $RPM_BUILD_ROOT
> fi
> %endif
>
> +%post selinux-policy
> +/usr/sbin/semodule -i %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || :
> +
> %postun
> %if 0%{?systemd_postun_with_restart:1}
> %systemd_postun_with_restart %{name}.service
> @@ -271,6 +289,15 @@ rm -rf $RPM_BUILD_ROOT
> fi
> %endif
>
> +%postun selinux-policy
> +if [ $1 -eq 0 ] ; then
> + /usr/sbin/semodule -r openvswitch-custom &> /dev/null || :
> +fi
> +
> +%files selinux-policy
> +%defattr(-,root,root)
> +%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
> +
> %files -n python-openvswitch
> %{python_sitelib}/ovs
> %doc COPYING
> diff --git a/selinux/automake.mk b/selinux/automake.mk
> new file mode 100644
> index 0000000..1088f36
> --- /dev/null
> +++ b/selinux/automake.mk
> @@ -0,0 +1,9 @@
> +# Copyright (C) 2016 Nicira, Inc.
> +#
> +# Copying and distribution of this file, with or without modification,
> +# are permitted in any medium without royalty provided the copyright
> +# notice and this notice are preserved. This file is offered as-is,
> +# without warranty of any kind.
> +
> +EXTRA_DIST += \
> + selinux/openvswitch-custom.te
> diff --git a/selinux/openvswitch-custom.te b/selinux/openvswitch-custom.te
> new file mode 100644
> index 0000000..fc32b97
> --- /dev/null
> +++ b/selinux/openvswitch-custom.te
> @@ -0,0 +1,9 @@
> +module openvswitch-custom 1.0;
> +
> +require {
> + type openvswitch_t;
> + class netlink_socket { setopt getopt create connect getattr write read };
> +}
> +
> +#============= openvswitch_t ==============
> +allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read };
Should any of the dpdk requirements go in at this time, or should that
be considered future work (ie: hugepage access, etc.)? I know that dpdk
will become non-experimental in the future, and before that happens this
should be known.
More information about the dev
mailing list