[ovs-dev] [PATCH v3 0/6] selinux: introduce a transition domain for loading kmods

Aaron Conole aconole at redhat.com
Fri Jun 1 18:28:43 UTC 2018

On linux systems, the initial start of openvswitch attempts to load
the openvswitch.ko kernel module.  This module allows openvswitch to
utilize the kernel datapath.

Some of these linux systems, notably Fedora and RHEL, use selinux to
enforce additional restrictions on various processes by way of allowing
or disallowing access from a specific selinux domain to a particular
operation on an selinux type.  On these systems, the openvswitch
initialization will be run from the 'openvswitch_t' selinux domain.
Attempts by a process in the 'openvswitch_t' selinux domain to load a
kernel module will be denied.

One solution would be to simply allow 'openvswitch_t' to load a kernel
directly.  This essentially means that 'openvswitch_t' would really be
'unconfined_t' - since an attacker that can control the code can issue
a kernel load.

The solution implemented here uses a labeled file in the openvswitch
scripts directory, which is writable only by root.  That file will force
a domain transition to the 'openvswitch_load_module_t' domain.  The
'openvswitch_load_module_t' domain will then be granted permissions to
load a kernel module.

The labelling won't take place until after the changes implemented in 6/6,
so it is really important to test the automatic labelling after that point.

* Rebased
* Added ACKs from Ansis
* Suppressed a new 'search' flag from ovs-kmod-ctl via dontaudit (it wasn't
  required for the modprobe to be successful)
* Added a new capability set allowance for ovs-vswitchd in commit 3/6 after
  additional testing (these should have always been there).
* Folded in changes to ovs-kmod-ctl based on Ansis' feedback

* Added a new commit to set the selinux-policy module version
* Added changes to the centos build in 4/4 to match the fedora build
* Fixed the manpage in 1/5

Aaron Conole (6):
  ovs-kmod-ctl: introduce a kernel module load script
  selinux: create a transition type for module loading
  selinux: allow openvswitch_t net_broadcast and net_raw
  selinux: tag the custom policy version
  selinux: introduce domain transitioned kmod helper
  rhel: selinux-policy to invoke proper label macros

 debian/openvswitch-switch.install  |   1 +
 debian/openvswitch-switch.manpages |   1 +
 rhel/openvswitch-fedora.spec.in    |  12 ++-
 rhel/openvswitch.spec.in           |  12 ++-
 selinux/.gitignore                 |   4 +
 selinux/automake.mk                |   3 +-
 selinux/openvswitch-custom.fc.in   |   1 +
 selinux/openvswitch-custom.te.in   |  91 ++++++++++++++++--
 utilities/.gitignore               |   1 +
 utilities/automake.mk              |   5 +
 utilities/ovs-ctl.in               |  32 +------
 utilities/ovs-kmod-ctl.8           | 109 ++++++++++++++++++++++
 utilities/ovs-kmod-ctl.in          | 183 +++++++++++++++++++++++++++++++++++++
 utilities/ovs-lib.in               |  20 +---
 14 files changed, 417 insertions(+), 58 deletions(-)
 create mode 100644 selinux/openvswitch-custom.fc.in
 create mode 100644 utilities/ovs-kmod-ctl.8
 create mode 100644 utilities/ovs-kmod-ctl.in


More information about the dev mailing list