[ovs-dev] [PATCH 2/2] rhel: Allow openvswitch to get parent information

Tue Jul 26 19:57:07 UTC 2016

On 25 July 2016 at 18:16, Flavio Leitner <fbl at redhat.com> wrote:
> Updates SELinux to allow ovs-vsctl to get parent process
> information and log that to the database:
>
> record 241: 2016-07-26 00:59:47.418 "ovs-vsctl (invoked by /bin/bash
> (pid 1589)): ovs-vsctl -t 10 -- --if-exist ...
>
> Jul 25 12:57:35 localhost.localdomain audit[830]: AVC avc:  denied  {
> search } for  pid=830 comm="ovs-vsctl" name="731" dev="proc" ino=14140
> scontext=system_u:system_r:openvswitch_t:s0
> tcontext=system_u:system_r:initrc_t:s0 tclass=dir permissive=0
>
> Signed-off-by: Flavio Leitner <fbl at redhat.com>
> ---
>  selinux/openvswitch-custom.te | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/selinux/openvswitch-custom.te b/selinux/openvswitch-custom.te
> index fc32b97..5739595 100644
> --- a/selinux/openvswitch-custom.te
> +++ b/selinux/openvswitch-custom.te
> @@ -2,8 +2,13 @@ module openvswitch-custom 1.0;
>
>  require {
>          type openvswitch_t;
> +        attribute domain;
>          class netlink_socket { setopt getopt create connect getattr write read };
> +        class dir { search };
> +        class file { open getattr read };
>  }
>
>  #============= openvswitch_t ==============
>  allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read };
> +allow openvswitch_t domain:dir { search };
> +allow openvswitch_t domain:file { open getattr read };

Hi Flavio,

Thanks for spending some time to get OVS in better shape with SELinux.
I figure that once this settles down a bit we should take the policy
file here and work towards upstreaming all of the policy changes.

As far as I can follow, this "domain" type is not just for accessing
OVS directories and files (like openvswitch_t), but ifor a much wider
range of paths:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/SELinux_Guide/rhlcommon-section-0048.html

"# The domain attribute identifies every type that can be
# assigned to a process.  This attribute is used in TE rules
# that should be applied to all domains, e.g. permitting
# init to kill all processes."

Is my understanding (+documentation) correct here? Is there an similar
but more restrictive policy that allows ovs-vsctl to access, for
example, /var/run/openvswitch/* (with var_run_openvswitch_t or
similar)? Alternatively is there an example of another daemon that has
a similar policy that set a precedence for writing the policy like
this?

Would you also be able to provide the full ovs-vsctl commandline? It
was a little difficult to understand exactly what was going on during
this event, or try to reproduce.

Lastly, I've just applied the other SELinux patch so you'll need to
rebase this one.

Cheers,
Joe