[ovs-dev] [PATCH 0/4] selinux: introduce a transition domain for loading kmods

Timothy Redaelli tredaelli at redhat.com
Wed Mar 21 16:23:00 UTC 2018 

On Tue, 20 Mar 2018 17:05:14 -0400
Aaron Conole <aconole at redhat.com> wrote:

> On linux systems, the initial start of openvswitch attempts to load
> the openvswitch.ko kernel module.  This module allows openvswitch to
> utilize the kernel datapath.
> 
> Some of these linux systems, notably Fedora and RHEL, use selinux to
> enforce additional restrictions on various processes by way of
> allowing or disallowing access from a specific selinux domain to a
> particular operation on an selinux type.  On these systems, the
> openvswitch initialization will be run from the 'openvswitch_t'
> selinux domain. Attempts by a process in the 'openvswitch_t' selinux
> domain to load a kernel module will be denied.
> 
> One solution would be to simply allow 'openvswitch_t' to load a kernel
> directly.  This essentially means that 'openvswitch_t' would really be
> 'unconfined_t' - since an attacker that can control the code can issue
> a kernel load.
> 
> The solution implemented here uses a labeled file in the openvswitch
> scripts directory, which is writable only by root.  That file will
> force a domain transition to the 'openvswitch_load_module_t' domain.
> The 'openvswitch_load_module_t' domain will then be granted
> permissions to load a kernel module.
> 
> Please vet the new permissions in 2/4 *carefully*.  I've tried to keep
> it as restricted as possible.  If there are any useful selinux
> interfaces that would simplify the permission grants needed for the
> new domain, I'm happy to spin a v2.
> 
> Aaron Conole (4):
>   ovs-kmod-ctl: introduce a kernel module load script
>   selinux: create a transition type for module loading
>   selinux: introduce domain transitioned kmod helper
>   rhel: selinux-policy to invoke proper label macros
> 
>  debian/openvswitch-switch.install  |   1 +
>  debian/openvswitch-switch.manpages |   1 +
>  rhel/openvswitch-fedora.spec.in    |  12 +-
>  rhel/openvswitch.spec.in           |   2 +
>  selinux/.gitignore                 |   4 +
>  selinux/automake.mk                |   3 +-
>  selinux/openvswitch-custom.fc.in   |   1 +
>  selinux/openvswitch-custom.te.in   |  79 ++++++++++++-
>  utilities/.gitignore               |   1 +
>  utilities/automake.mk              |   5 +
>  utilities/ovs-ctl.in               |  32 +-----
>  utilities/ovs-kmod-ctl.8           | 103 +++++++++++++++++
>  utilities/ovs-kmod-ctl.in          | 228
> +++++++++++++++++++++++++++++++++++++
> utilities/ovs-lib.in               |  12 +- 14 files changed, 439
> insertions(+), 45 deletions(-) create mode 100644
> selinux/openvswitch-custom.fc.in create mode 100644
> utilities/ovs-kmod-ctl.8 create mode 100644 utilities/ovs-kmod-ctl.in
> 

Series
Acked-By: Timothy Redaelli <tredaelli at redhat.com>

More information about the dev mailing list