[ovs-dev] [PATCH] rhel: provide our own SELinux custom policy package
Ansis Atteka
aatteka at nicira.com
Wed Jan 20 06:50:26 UTC 2016
CentOS, RHEL and Fedora distributions ship with their own Open vSwitch
SELinux policy that is too strict and prevents Open vSwitch to work
normally out of the box.
As a solution, this patch introduces a new package which will "loosen"
up "openvswitch_t" SELinux domain so that Open vSwitch could operate
normally.
Intended use-cases of this package are:
1. to allow users to install newer Open vSwitch on already released Fedora,
RHEL and Centos distributions where the default Open vSwitch SELinux policy
that shipped with the corresponding Linux distribution is not up to date
and did not anticipate that a newer Open vSwitch version might need to
invoke new system calls or need to access certain system resources that
it did not before; And
2. to provide alternative means through which Open vSwitch developers
can proactively fix SELinux related policy issues without waiting for
corresponding Linux distribution maintainers to update their central
Open vSwitch SELinux policy.
This patch was tested on Fedora 23 and CentOS 7. I verified that now
on Fedora 23 Open vSwitch can create a NetLink socket; and that I did
not see following error messages:
vlog|INFO|opened log file /var/log/openvswitch/ovs-vswitchd.log
ovs_numa|INFO|Discovered 2 CPU cores on NUMA node 0
ovs_numa|INFO|Discovered 1 NUMA nodes and 2 CPU cores
reconnect|INFO|unix:/var/run/openvswitch/db.sock: connecting...
reconnect|INFO|unix:/var/run/openvswitch/db.sock: connected
netlink_socket|ERR|fcntl: Permission denied
dpif_netlink|ERR|Generic Netlink family 'ovs_datapath' does not exist.
The Open vSwitch kernel module is p robably not loaded.
dpif|WARN|failed to enumerate system datapaths: Permission denied
dpif|WARN|failed to create datapath ovs-system: Permission denied
I did not test all Open vSwitch features so there still could be some
OVS configuration that would get "Permission denied" errors.
Since, Open vSwitch daemons on Ubuntu 15.10 by default run under "unconfined"
SELinux domain, then there is no need to create a similar debian package
for Ubuntu.
Signed-Off-By: Ansis Atteka <aatteka at nicira.com>
---
INSTALL.SELinux.md | 113 +++++++++++++++++++++++++++++++++++++++
Makefile.am | 2 +
README.md | 2 +
rhel/.gitignore | 1 +
rhel/automake.mk | 5 ++
rhel/openvswitch-selinux.spec.in | 59 ++++++++++++++++++++
selinux/automake.mk | 9 ++++
selinux/openvswitch-custom.te | 14 +++++
8 files changed, 205 insertions(+)
create mode 100644 INSTALL.SELinux.md
create mode 100644 rhel/openvswitch-selinux.spec.in
create mode 100644 selinux/automake.mk
create mode 100644 selinux/openvswitch-custom.te
diff --git a/INSTALL.SELinux.md b/INSTALL.SELinux.md
new file mode 100644
index 0000000..554bd0b
--- /dev/null
+++ b/INSTALL.SELinux.md
@@ -0,0 +1,113 @@
+Running Open vSwitch under SELinux
+==================================
+
+Security-Enhanced Linux (SELinux) is a Linux kernel security
+module that limits "the malicious things" that certain processes,
+including OVS, can do on the system in case there is a security
+vulnerability in one of the daemons. In our case SELinux basically
+serves as the "second line of defence" that makes it harder for malicious
+hackers to compromise the whole system, if one of the daemons that
+is restricted by SELinux have been compromised. This feature
+in SELinux is known as "Type Enforcement". Besides Type Enforcement
+there are other SELinux features, but they are out of scope for this
+document.
+
+Currently there are two SELinux policies for Open vSwitch:
+1. the one that ships with your Linux distribution (i.e. selinux-policy-*
+ packages); And
+2. the one that ships with OVS (i.e. openvswitch-selinux-policy
+ package).
+
+
+Limitations
+-----------
+
+If Open vSwitch is directly started from command line, then it
+will run under "unconfined_t" SELinux domain that basically lets
+daemon to do whatever it likes. This is very important for developers
+to understand, because they might introduce new system calls that
+OVS invokes and forgot to loosen up SELinux policy, because they
+did not see error in the first place.
+
+Currently the only distributions that enforce SELinux by default
+are RHEL, CentOS and Fedora. While Ubuntu and Debian also support
+SELinux they run Open vSwitch under the unrestricted "unconfined"
+domain. Also, it seems that Ubuntu is leaning towards Apparmor
+that works slightly differently than SELinux.
+
+SELinux and Open vSwitch are moving targets. What this means
+is that, if you rely on your SELinux policy that ships with
+your Linux distribution, then this policy might not have correctly
+anticipated that a newer Open vSwitch version works differently and
+needs different policy to operate normally. However, if you rely
+on SELinux policy that ships with Open vSwitch, then Open vSwitch
+developers might not have correctly anticipated the feature set that
+your SELinux supports, for example, as of writing this there are
+SELinux versions out there that allow to fine tune access to specific
+NetLink sockets opposed to whole NetLink family class.
+
+
+Troubleshooting
+---------------
+When SELinux was implemented a lot of standard system utilities
+acquired "-Z" flag (e.g. "ps -Z", "ls -Z"). For example, to find
+out under which SELinux security domain process runs use:
+
+ # ps -AZ | grep ovs-vs
+ system_u:system_r:openvswitch_t:s0 854 ? ovs-vswitchd
+
+To find out the SELinux label for a file or directory use:
+
+ # ls -Z /etc/openvswitch/conf.db
+ system_u:object_r:openvswitch_rw_t:s0 /etc/openvswitch/conf.db
+
+Typically SELinux policy
+
+
+If for example, SELinux policy for Open vSwitch is too strict,
+then you might see in Open vSwitch log files "Permission Denied"
+errors.
+
+ # cat /var/log/openvswitch/ovs-vswitchd.log
+ vlog|INFO|opened log file /var/log/openvswitch/ovs-vswitchd.log
+ ovs_numa|INFO|Discovered 2 CPU cores on NUMA node 0
+ ovs_numa|INFO|Discovered 1 NUMA nodes and 2 CPU cores
+ reconnect|INFO|unix:/var/run/openvswitch/db.sock: connecting...
+ reconnect|INFO|unix:/var/run/openvswitch/db.sock: connected
+ netlink_socket|ERR|fcntl: Permission denied
+ dpif_netlink|ERR|Generic Netlink family 'ovs_datapath' does not exist.
+ The Open vSwitch kernel module is probably not loaded.
+ dpif|WARN|failed to enumerate system datapaths: Permission denied
+ dpif|WARN|failed to create datapath ovs-system: Permission denied
+
+
+
+Though, not all "Permission denied" errors are caused by SELinux. So,
+before blaming too strict SELinux policy make sure that indeed SELinux
+was the one that denied OVS access to certain resources, for example:
+
+ # grep "openvswitch_t" /var/log/audit/audit.log | tail
+ type=AVC msg=audit(1453235431.640:114671): avc: denied { getopt } for pid=4583 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=0
+
+
+If SELinux denied OVS to do certain things, then make sure that you
+have installed our SELinux policy package that "loosens" up the default
+SELinux policy that ships with your Linux distribution:
+
+ # rpm -qa | grep openvswitch-selinux
+ openvswitch-selinux-policy-2.4.1-1.el7.centos.noarch
+
+And then verify that this module was indeed loaded:
+
+ # semodule -l | grep openvswitch
+ openvswitch-custom 1.0
+ openvswitch 1.1.1
+
+
+
+Reporting Bugs
+--------------
+
+Please report problems to bugs at openvswitch.org.
+
+[INSTALL.md]:INSTALL.md
diff --git a/Makefile.am b/Makefile.am
index 59a1466..66b1398 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -84,6 +84,7 @@ docs = \
INSTALL.NetBSD.md \
INSTALL.RHEL.md \
INSTALL.SSL.md \
+ INSTALL.SELinux.md \
INSTALL.XenServer.md \
INSTALL.userspace.md \
INSTALL.Windows.md \
@@ -380,3 +381,4 @@ include vtep/automake.mk
include datapath-windows/automake.mk
include datapath-windows/include/automake.mk
include windows/automake.mk
+include selinux/automake.mk
diff --git a/README.md b/README.md
index b590928..82065c7 100644
--- a/README.md
+++ b/README.md
@@ -97,6 +97,8 @@ To use Open vSwitch...
- ...without using a kernel module, read [INSTALL.userspace.md].
+- ...with SELinux, read [INSTALL.SELinux.md].
+
For answers to common questions, read [FAQ.md].
To learn how to set up SSL support for Open vSwitch, read [INSTALL.SSL.md].
diff --git a/rhel/.gitignore b/rhel/.gitignore
index 164bb66..5054add 100644
--- a/rhel/.gitignore
+++ b/rhel/.gitignore
@@ -2,5 +2,6 @@ openvswitch-dkms.spec
openvswitch-kmod-rhel5.spec
openvswitch-kmod-rhel6.spec
openvswitch-kmod-fedora.spec
+openvswitch-selinux.spec
openvswitch.spec
openvswitch-fedora.spec
diff --git a/rhel/automake.mk b/rhel/automake.mk
index b1b67ec..426807d 100644
--- a/rhel/automake.mk
+++ b/rhel/automake.mk
@@ -23,6 +23,8 @@ EXTRA_DIST += \
rhel/openvswitch.spec.in \
rhel/openvswitch-fedora.spec \
rhel/openvswitch-fedora.spec.in \
+ rhel/openvswitch-selinux.spec \
+ rhel/openvswitch-selinux.spec.in \
rhel/usr_share_openvswitch_scripts_sysconfig.template \
rhel/usr_share_openvswitch_scripts_systemd_sysconfig.template \
rhel/usr_lib_systemd_system_openvswitch.service \
@@ -47,3 +49,6 @@ $(srcdir)/rhel/openvswitch.spec: rhel/openvswitch.spec.in $(top_builddir)/config
$(srcdir)/rhel/openvswitch-fedora.spec: rhel/openvswitch-fedora.spec.in $(top_builddir)/config.status
$(update_rhel_spec)
+
+$(srcdir)/rhel/openvswitch-selinux.spec: rhel/openvswitch-selinux.spec.in $(top_builddir)/config.status
+ $(update_rhel_spec)
diff --git a/rhel/openvswitch-selinux.spec.in b/rhel/openvswitch-selinux.spec.in
new file mode 100644
index 0000000..b266c30
--- /dev/null
+++ b/rhel/openvswitch-selinux.spec.in
@@ -0,0 +1,59 @@
+# Spec file for Open vSwitch SELinux policy.
+#
+# Copyright (C) 2016 Nicira, Inc.
+#
+# Copying and distribution of this file, with or without modification,
+# are permitted in any medium without royalty provided the copyright
+# notice and this notice are preserved. This file is offered as-is,
+# without warranty of any kind.
+
+%define oname openvswitch
+
+%global selinux_pol targeted
+
+Name: %{oname}-selinux-policy
+Version: @VERSION@
+Release: 1%{?dist}
+Summary: Open vSwitch SELinux policy
+Group: System Environment/Daemons
+License: ASL 2.0 and LGPLv2+ and SISSL
+URL: http://openvswitch.org/
+Source: %{oname}-%{version}.tar.gz
+Requires: selinux-policy-targeted
+BuildRoot: %{_tmppath}/%{name}-%{version}-build
+BuildArch: noarch
+BuildRequires: checkpolicy, selinux-policy-devel
+
+%description
+This package fine-tunes Open vSwitch SELinux targeted policy. Use it, if the
+default SELinux policy that ships with your Linux Distribution prevents Open
+vSwitch from operating normally.
+
+%prep
+%setup -n %{oname}-%{version}
+
+%build
+cd selinux
+make -f %{_datadir}/selinux/devel/Makefile
+
+%install
+install -p -m 644 -D selinux/openvswitch-custom.pp $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
+
+%post
+/usr/sbin/semodule -i %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || :
+
+%postun
+if [ $1 -eq 0 ] ; then
+ /usr/sbin/semodule -r openvswitch-custom &> /dev/null || :
+fi
+
+%clean
+rm -rf %buildroot
+
+%files
+%defattr(-,root,root)
+%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
+
+%changelog
+* Mon Jan 18 2016 Ansis Atteka <aatteka at nicira.com>
+- First build on F23 and CentOS7
diff --git a/selinux/automake.mk b/selinux/automake.mk
new file mode 100644
index 0000000..1088f36
--- /dev/null
+++ b/selinux/automake.mk
@@ -0,0 +1,9 @@
+# Copyright (C) 2016 Nicira, Inc.
+#
+# Copying and distribution of this file, with or without modification,
+# are permitted in any medium without royalty provided the copyright
+# notice and this notice are preserved. This file is offered as-is,
+# without warranty of any kind.
+
+EXTRA_DIST += \
+ selinux/openvswitch-custom.te
diff --git a/selinux/openvswitch-custom.te b/selinux/openvswitch-custom.te
new file mode 100644
index 0000000..6f78cd9
--- /dev/null
+++ b/selinux/openvswitch-custom.te
@@ -0,0 +1,14 @@
+module openvswitch-custom 1.0;
+
+require {
+ type openvswitch_t;
+ type abrt_dump_oops_t;
+ class netlink_socket { setopt getopt create connect getattr write read };
+ class process getattr;
+}
+
+#============= abrt_dump_oops_t ==============
+allow abrt_dump_oops_t openvswitch_t:process getattr;
+
+#============= openvswitch_t ==============
+allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read };
--
2.1.4
More information about the dev
mailing list