[ovs-dev] [PATCH v2 0/5] selinux: introduce a transition domain for loading kmods

Ansis Atteka ansisatteka at gmail.com
Wed May 9 23:37:05 UTC 2018


On Fri, 4 May 2018 at 11:28, Aaron Conole <aconole at redhat.com> wrote:

> On linux systems, the initial start of openvswitch attempts to load
> the openvswitch.ko kernel module.  This module allows openvswitch to
> utilize the kernel datapath.

> Some of these linux systems, notably Fedora and RHEL, use selinux to
> enforce additional restrictions on various processes by way of allowing
> or disallowing access from a specific selinux domain to a particular
> operation on an selinux type.  On these systems, the openvswitch
> initialization will be run from the 'openvswitch_t' selinux domain.
> Attempts by a process in the 'openvswitch_t' selinux domain to load a
> kernel module will be denied.

> One solution would be to simply allow 'openvswitch_t' to load a kernel
> directly.  This essentially means that 'openvswitch_t' would really be
> 'unconfined_t' - since an attacker that can control the code can issue
> a kernel load.

> The solution implemented here uses a labeled file in the openvswitch
> scripts directory, which is writable only by root.  That file will force
> a domain transition to the 'openvswitch_load_module_t' domain.  The
> 'openvswitch_load_module_t' domain will then be granted permissions to
> load a kernel module.

> The labelling won't take place until after the changes implemented in 4/4,
> so it is really important to test the automatic labelling after that
point.

> v1->v2:
> * Added a new commit to set the selinux-policy module version
> * Added changes to the centos build in 4/4 to match the fedora build
> * Fixed the manpage in 1/5


Thanks. I wanted to test this on Fedora 27 too (with poc/builders), but I am
getting this error:

[root at fedoraubuilder x86_64]# yum install openvswitch-2.9.90-1.x86_64.rpm
Last metadata expiration check: 1:18:01 ago on Wed 09 May 2018 09:56:08 PM
UTC.
Error:
   Problem: conflicting requests
    - nothing provides /bin/python2 needed by openvswitch-2.9.90-1.x86_64
[root at fedoraubuilder x86_64]# /bin/python2 --version
Python 2.7.14
[root at fedoraubuilder x86_64]# rpm -q --whatprovides /bin/python
python2-2.7.14-10.fc27.x86_64
[root at fedoraubuilder x86_64]# rpm -qR  openvswitch-2.9.90-1.x86_64.rpm  |
grep -i python
/bin/python2

based on openvswitch-fedora.spec.in file my understanding is that it should
have picked python3 right? Though, I also have python2 so that error seems
strange to me.





> Aaron Conole (5):
>     ovs-kmod-ctl: introduce a kernel module load script
>     selinux: create a transition type for module loading
>     selinux: tag the custom policy version
>     selinux: introduce domain transitioned kmod helper
>     rhel: selinux-policy to invoke proper label macros

>    debian/openvswitch-switch.install  |   1 +
>    debian/openvswitch-switch.manpages |   1 +
>    rhel/openvswitch-fedora.spec.in    |  12 +-
>    rhel/openvswitch.spec.in           |  12 +-
>    selinux/.gitignore                 |   4 +
>    selinux/automake.mk                |   3 +-
>    selinux/openvswitch-custom.fc.in   |   1 +
>    selinux/openvswitch-custom.te.in   |  81 ++++++++++++-
>    utilities/.gitignore               |   1 +
>    utilities/automake.mk              |   5 +
>    utilities/ovs-ctl.in               |  32 +-----
>    utilities/ovs-kmod-ctl.8           | 109 ++++++++++++++++++
>    utilities/ovs-kmod-ctl.in          | 228
+++++++++++++++++++++++++++++++++++++
>    utilities/ovs-lib.in               |  12 +-
>    14 files changed, 454 insertions(+), 48 deletions(-)
>    create mode 100644 selinux/openvswitch-custom.fc.in
>    create mode 100644 utilities/ovs-kmod-ctl.8
>    create mode 100644 utilities/ovs-kmod-ctl.in

> --
> 2.14.3


More information about the dev mailing list