[ovs-dev] [PATCH v2 0/5] selinux: introduce a transition domain for loading kmods

Aaron Conole aconole at redhat.com
Thu May 10 13:32:49 UTC 2018


Ansis Atteka <ansisatteka at gmail.com> writes:

> On Fri, 4 May 2018 at 11:28, Aaron Conole <aconole at redhat.com> wrote:
>
>> On linux systems, the initial start of openvswitch attempts to load
>> the openvswitch.ko kernel module.  This module allows openvswitch to
>> utilize the kernel datapath.
>
>> Some of these linux systems, notably Fedora and RHEL, use selinux to
>> enforce additional restrictions on various processes by way of allowing
>> or disallowing access from a specific selinux domain to a particular
>> operation on an selinux type.  On these systems, the openvswitch
>> initialization will be run from the 'openvswitch_t' selinux domain.
>> Attempts by a process in the 'openvswitch_t' selinux domain to load a
>> kernel module will be denied.
>
>> One solution would be to simply allow 'openvswitch_t' to load a kernel
>> directly.  This essentially means that 'openvswitch_t' would really be
>> 'unconfined_t' - since an attacker that can control the code can issue
>> a kernel load.
>
>> The solution implemented here uses a labeled file in the openvswitch
>> scripts directory, which is writable only by root.  That file will force
>> a domain transition to the 'openvswitch_load_module_t' domain.  The
>> 'openvswitch_load_module_t' domain will then be granted permissions to
>> load a kernel module.
>
>> The labelling won't take place until after the changes implemented in 4/4,
>> so it is really important to test the automatic labelling after that
> point.
>
>> v1->v2:
>> * Added a new commit to set the selinux-policy module version
>> * Added changes to the centos build in 4/4 to match the fedora build
>> * Fixed the manpage in 1/5
>
>
> Thanks. I wanted to test this on Fedora 27 too (with poc/builders), but I am
> getting this error:
>
> [root at fedoraubuilder x86_64]# yum install openvswitch-2.9.90-1.x86_64.rpm
> Last metadata expiration check: 1:18:01 ago on Wed 09 May 2018 09:56:08 PM
> UTC.
> Error:
>    Problem: conflicting requests
>     - nothing provides /bin/python2 needed by openvswitch-2.9.90-1.x86_64
> [root at fedoraubuilder x86_64]# /bin/python2 --version
> Python 2.7.14
> [root at fedoraubuilder x86_64]# rpm -q --whatprovides /bin/python
> python2-2.7.14-10.fc27.x86_64
> [root at fedoraubuilder x86_64]# rpm -qR  openvswitch-2.9.90-1.x86_64.rpm  |
> grep -i python
> /bin/python2
>
> based on openvswitch-fedora.spec.in file my understanding is that it should
> have picked python3 right? Though, I also have python2 so that error seems
> strange to me.

I think it's related to the changes that went in with commit
db8dcbaf1c57 ("packaging: Make Fedora spec file CentOS compatible")
but I don't know for sure.

Timothy? Leif?

>> Aaron Conole (5):
>>     ovs-kmod-ctl: introduce a kernel module load script
>>     selinux: create a transition type for module loading
>>     selinux: tag the custom policy version
>>     selinux: introduce domain transitioned kmod helper
>>     rhel: selinux-policy to invoke proper label macros
>
>>    debian/openvswitch-switch.install  |   1 +
>>    debian/openvswitch-switch.manpages |   1 +
>>    rhel/openvswitch-fedora.spec.in    |  12 +-
>>    rhel/openvswitch.spec.in           |  12 +-
>>    selinux/.gitignore                 |   4 +
>>    selinux/automake.mk                |   3 +-
>>    selinux/openvswitch-custom.fc.in   |   1 +
>>    selinux/openvswitch-custom.te.in   |  81 ++++++++++++-
>>    utilities/.gitignore               |   1 +
>>    utilities/automake.mk              |   5 +
>>    utilities/ovs-ctl.in               |  32 +-----
>>    utilities/ovs-kmod-ctl.8           | 109 ++++++++++++++++++
>>    utilities/ovs-kmod-ctl.in          | 228
> +++++++++++++++++++++++++++++++++++++
>>    utilities/ovs-lib.in               |  12 +-
>>    14 files changed, 454 insertions(+), 48 deletions(-)
>>    create mode 100644 selinux/openvswitch-custom.fc.in
>>    create mode 100644 utilities/ovs-kmod-ctl.8
>>    create mode 100644 utilities/ovs-kmod-ctl.in
>
>> --
>> 2.14.3


More information about the dev mailing list