On 22 February 2016 at 20:18, Flavio Leitner <f...@sysclose.org> wrote:
> On Mon, 15 Feb 2016 17:40:25 -0800
> Ansis Atteka <ansisatt...@gmail.com> wrote:
>
> > From: Ansis Atteka <aatt...@nicira.com>
> >
> > CentOS, RHEL and Fedora distributions ship with their own Open vSwitch
> > SELinux policy that is too strict and prevents Open vSwitch to work
> > normally out of the box.
> >
> > As a solution, this patch introduces a new package which will "loosen"
> > up "openvswitch_t" SELinux domain so that Open vSwitch could operate
> > normally.
> >
> > Intended use-cases of this package are:
> > 1. to allow users to install newer Open vSwitch on already released
> Fedora,
> > RHEL and CentOS distributions where the default Open vSwitch SELinux
> policy
> > that shipped with the corresponding Linux distribution is not up to date
> > and did not anticipate that a newer Open vSwitch version might need to
> > invoke new system calls or need to access certain system resources that
> > it did not before; And
> > 2. to provide alternative means through which Open vSwitch developers
> > can proactively fix SELinux related policy issues without waiting for
> > corresponding Linux distribution maintainers to update their central
> > Open vSwitch SELinux policy.
> >
> > This patch was tested on Fedora 23 and CentOS 7. I verified that now
> > on Fedora 23 Open vSwitch can create a NetLink socket; and that I did
> > not see following error messages:
> >
> > vlog|INFO|opened log file /var/log/openvswitch/ovs-vswitchd.log
> > ovs_numa|INFO|Discovered 2 CPU cores on NUMA node 0
> > ovs_numa|INFO|Discovered 1 NUMA nodes and 2 CPU cores
> > reconnect|INFO|unix:/var/run/openvswitch/db.sock: connecting...
> > reconnect|INFO|unix:/var/run/openvswitch/db.sock: connected
> > netlink_socket|ERR|fcntl: Permission denied
> > dpif_netlink|ERR|Generic Netlink family 'ovs_datapath' does not exist.
> > The Open vSwitch kernel module is p robably not loaded.
> > dpif|WARN|failed to enumerate system datapaths: Permission denied
> > dpif|WARN|failed to create datapath ovs-system: Permission denied
> >
> > I did not test all Open vSwitch features so there still could be some
> > OVS configuration that would get "Permission denied" errors.
> >
> > Since, Open vSwitch daemons on Ubuntu 15.10 by default run under
> "unconfined"
> > SELinux domain, then there is no need to create a similar debian package
> > for Ubuntu, because it works on default Ubuntu installation.
> >
> > Signed-Off-By: Ansis Atteka <aatt...@nicira.com>
> > ---
> > INSTALL.SELinux.md | 166
> ++++++++++++++++++++++++++++++++++++++++
> > Makefile.am | 2 +
> > README.md | 2 +
> > rhel/openvswitch-fedora.spec.in | 27 +++++++
> > selinux/automake.mk | 9 +++
> > selinux/openvswitch-custom.te | 9 +++
> > 6 files changed, 215 insertions(+)
> > create mode 100644 INSTALL.SELinux.md
> > create mode 100644 selinux/automake.mk
> > create mode 100644 selinux/openvswitch-custom.te
> >
> > diff --git a/INSTALL.SELinux.md b/INSTALL.SELinux.md
> > new file mode 100644
> > index 0000000..dc93d6d
> > --- /dev/null
> > +++ b/INSTALL.SELinux.md
> > @@ -0,0 +1,166 @@
> > +Running Open vSwitch under SELinux
> > +==================================
> > +
> > +Security-Enhanced Linux (SELinux) is a Linux kernel security
> > +module that limits "the malicious things" that certain processes,
> > +including OVS, can do to the system in case they get compromised.
> > +In our case SELinux basically serves as the "second line of defense"
> > +that limits the things that OVS processes are allowed to do. The
> > +"first line of defense" is proper input validation that eliminates
> > +code paths that could be used by attacker to do any sort of
> > +"escape attacks" (e.g. file name escape, shell escape, command
> > +line argument escape, buffer escape). Since developers don't
> > +always implement proper input validation, then SELinux Access
> > +Control's goal is to confine damage of such attacks, if they
> > +turned out to be possible.
> > +
> > +Besides Type Enforcement there are other SELinux
> > +features, but they are out of scope for this document.
> > +
> > +Currently there are two SELinux policies for Open vSwitch:
> > +1. the one that ships with your Linux distribution (i.e.
> > + selinux-policy-targeted package); And
> > +2. the one that ships with OVS (i.e. openvswitch-selinux-policy
> > + package).
> > +
> > +
> > +Limitations
> > +-----------
> > +
> > +If Open vSwitch is directly started from command line, then it
> > +will run under "unconfined_t" SELinux domain that basically lets
> > +daemon to do whatever it likes. This is very important for developers
> > +to understand, because they might introduced code in OVS that invokes
> > +new system calls that SELinux policy did not anticipate. This means
> > +that their feature may have worked out just fine for them. However,
> > +if someone else would try to run the same code when Open vSwitch is
> > +started through systemctl, then Open vSwitch would get Permission Denied
> > +errors.
> > +
> > +Currently the only distributions that enforce SELinux on OVS by
> > +default are RHEL, CentOS and Fedora. While Ubuntu and Debian also
> > +have some SELinux support, they run Open vSwitch under the unrestricted
> > +"unconfined" domain. Also, it seems that Ubuntu is leaning towards
> > +Apparmor that works slightly differently than SELinux.
> > +
> > +SELinux and Open vSwitch are moving targets. What this means
> > +is that, if you solely rely on your Linux distribution's SELinux policy,
> > +then this policy might not have correctly anticipated that a newer
> > +Open vSwitch version needs extra white list rules. However, if you
> > +solely rely on SELinux policy that ships with Open vSwitch, then
> > +Open vSwitch developers might not have correctly anticipated the
> > +feature set that your SELinux implementation supports.
> > +
> > +
> > +Installation
> > +------------
> > +
> > +Refer to [INSTALL.Fedora.md] for instructions on how to build all
> > +Open vSwitch rpm packages.
> > +
> > +Once the package is built, install it on your Linux distribution with:
> > +
> > + # yum install
> openvswitch-selinux-policy-2.4.1-1.el7.centos.noarch.rpm
> > +
> > +And, then restart Open vSwitch:
> > +
> > + # systemctl restart openvswitch
> > +
> > +
> > +Troubleshooting
> > +---------------
> > +
> > +When SELinux was implemented some of the standard system utilities
> > +acquired "-Z" flag (e.g. "ps -Z", "ls -Z"). For example, to find out
> > +under which SELinux security domain process runs, use:
> > +
> > + # ps -AZ | grep ovs-vswitchd
> > + system_u:system_r:openvswitch_t:s0 854 ? ovs-vswitchd
> > +
> > +To find out the SELinux label of file or directory, use:
> > +
> > + # ls -Z /etc/openvswitch/conf.db
> > + system_u:object_r:openvswitch_rw_t:s0 /etc/openvswitch/conf.db
> > +
> > +
> > +If, for example, SELinux policy for Open vSwitch is too strict,
> > +then you might see in Open vSwitch log files "Permission Denied"
> > +errors:
> > +
> > + # cat /var/log/openvswitch/ovs-vswitchd.log
> > + vlog|INFO|opened log file /var/log/openvswitch/ovs-vswitchd.log
> > + ovs_numa|INFO|Discovered 2 CPU cores on NUMA node 0
> > + ovs_numa|INFO|Discovered 1 NUMA nodes and 2 CPU cores
> > + reconnect|INFO|unix:/var/run/openvswitch/db.sock: connecting...
> > + reconnect|INFO|unix:/var/run/openvswitch/db.sock: connected
> > + netlink_socket|ERR|fcntl: Permission denied
> > + dpif_netlink|ERR|Generic Netlink family 'ovs_datapath' does not
> exist.
> > + The Open vSwitch kernel module is probably not
> loaded.
> > + dpif|WARN|failed to enumerate system datapaths: Permission denied
> > + dpif|WARN|failed to create datapath ovs-system: Permission denied
> > +
> > +
> > +
> > +However, not all "Permission denied" errors are caused by SELinux. So,
> > +before blaming too strict SELinux policy, make sure that indeed SELinux
> > +was the one that denied OVS access to certain resources, for example,
> run:
> > +
> > + # grep "openvswitch_t" /var/log/audit/audit.log | tail
> > + type=AVC msg=audit(1453235431.640:114671): avc: denied { getopt }
> for pid=4583 comm="ovs-vswitchd"
> scontext=system_u:system_r:openvswitch_t:s0
> tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket
> permissive=0
> > +
> > +
> > +If SELinux denied OVS access to certain resources, then make sure that
> you
> > +have installed our SELinux policy package that "loosens" up
> distribution's
> > +SELinux policy:
> > +
> > + # rpm -qa | grep openvswitch-selinux
> > + openvswitch-selinux-policy-2.4.1-1.el7.centos.noarch
> > +
> > +And, then verify that this module was indeed loaded:
> > +
> > + # semodule -l | grep openvswitch
> > + openvswitch-custom 1.0
> > + openvswitch 1.1.1
> > +
> > +If you still see Permission denied errors, then take a look
> > +into selinux/openvswitch.te file in the OVS source tree and
> > +try to add white list rules. This is really simple, just run
> > +SELinux audit2allow tool:
> > +
> > + # grep "openvswitch_t" /var/log/audit/audit.log | audit2allow -M
> ovslocal
> > +
> > +
> > +Contributing SELinux policy patches
> > +-----------------------------------
> > +
> > +Here are few things to consider before proposing SELinux policy
> > +patches to Open vSwitch developer mailing list:
> > +
> > +1. The SELinux policy that resides in Open vSwitch source tree
> > + amends SELinux policy that ships with your distributions.
> > +
> > + Implications of this are that it is assumed that the distribution's
> > + Open vSwitch SELinux module must be already loaded to satisfy
> > + dependencies.
> > +
> > +2. The SELinux policy that resides in Open vSwitch source tree
> > + must work on all currently relevant Linux distributions.
> > +
> > + Implications of this are that you should use only those SELinux
> > + policy features that are supported by the lowest SELinux version
> > + out there.
> > +
> > +3. The SELinux policy is enforced only when state transition to
> > + openvswitch_t domain happens.
> > +
> > + Implications of this are that perhaps instead of loosening SELinux
> > + policy you can do certain things at the time rpm package is
> installed.
> > +
> > +
> > +
> > +Reporting Bugs
> > +--------------
> > +
> > +Please report problems to b...@openvswitch.org.
> > +
> > +[INSTALL.md]:INSTALL.md
> > diff --git a/Makefile.am b/Makefile.am
> > index 75ccadf..a71a4d6 100644
> > --- a/Makefile.am
> > +++ b/Makefile.am
> > @@ -79,6 +79,7 @@ docs = \
> > INSTALL.Libvirt.md \
> > INSTALL.NetBSD.md \
> > INSTALL.RHEL.md \
> > + INSTALL.SELinux.md \
>
> Makefile uses TABs.
>
>
> > INSTALL.SSL.md \
> > INSTALL.XenServer.md \
> > INSTALL.userspace.md \
> > @@ -431,3 +432,4 @@ include datapath-windows/automake.mk
> > include datapath-windows/include/automake.mk
> > include windows/automake.mk
> > include ovn/automake.mk
> > +include selinux/automake.mk
> > diff --git a/README.md b/README.md
> > index b590928..82065c7 100644
> > --- a/README.md
> > +++ b/README.md
> > @@ -97,6 +97,8 @@ To use Open vSwitch...
> >
> > - ...without using a kernel module, read [INSTALL.userspace.md].
> >
> > +- ...with SELinux, read [INSTALL.SELinux.md].
> > +
> > For answers to common questions, read [FAQ.md].
> >
> > To learn how to set up SSL support for Open vSwitch, read [
> INSTALL.SSL.md].
> > diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/
> openvswitch-fedora.spec.in
> > index 00e491b..c018370 100644
> > --- a/rhel/openvswitch-fedora.spec.in
> > +++ b/rhel/openvswitch-fedora.spec.in
> > @@ -46,6 +46,7 @@ BuildRequires: systemd-units openssl openssl-devel
> > BuildRequires: python python-twisted-core python-zope-interface PyQt4
> python-six
> > BuildRequires: desktop-file-utils
> > BuildRequires: groff graphviz
> > +BuildRequires: checkpolicy, selinux-policy-devel
> > # make check dependencies
> > BuildRequires: procps-ng
> > %if %{with libcapng}
> > @@ -72,6 +73,15 @@ Open vSwitch provides standard network bridging
> functions and
> > support for the OpenFlow protocol for remote per-flow control of
> > traffic.
> >
> > +%package selinux-policy
> > +Summary: Open vSwitch SELinux policy
> > +License: ASL 2.0
> > +BuildArch: noarch
> > +Requires: selinux-policy-targeted
> > +
> > +%description selinux-policy
> > +Tailored Open vSwitch SELinux policy
> > +
> > %package -n python-openvswitch
> > Summary: Open vSwitch python bindings
> > License: ASL 2.0
> > @@ -131,6 +141,8 @@ overlays and security groups.
> > --with-pkidir=%{_sharedstatedir}/openvswitch/pki
> >
> > make %{?_smp_mflags}
> > +cd selinux
> > +make -f %{_datadir}/selinux/devel/Makefile
> >
> > %install
> > rm -rf $RPM_BUILD_ROOT
> > @@ -172,6 +184,9 @@ install -d -m 0755
> $RPM_BUILD_ROOT/%{_sharedstatedir}/openvswitch
> > touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/conf.db
> > touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/system-id.conf
> >
> > +install -p -m 644 -D selinux/openvswitch-custom.pp \
> > +
> $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
> > +
> > # remove unpackaged files
> > rm -f $RPM_BUILD_ROOT%{_bindir}/ovs-parse-backtrace \
> > $RPM_BUILD_ROOT%{_bindir}/ovs-pcap \
> > @@ -245,6 +260,9 @@ rm -rf $RPM_BUILD_ROOT
> > fi
> > %endif
> >
> > +%post selinux-policy
> > +/usr/sbin/semodule -i
> %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || :
> > +
> > %postun
> > %if 0%{?systemd_postun_with_restart:1}
> > %systemd_postun_with_restart %{name}.service
> > @@ -271,6 +289,15 @@ rm -rf $RPM_BUILD_ROOT
> > fi
> > %endif
> >
> > +%postun selinux-policy
> > +if [ $1 -eq 0 ] ; then
> > + /usr/sbin/semodule -r openvswitch-custom &> /dev/null || :
> > +fi
> > +
> > +%files selinux-policy
> > +%defattr(-,root,root)
> > +%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
> > +
> > %files -n python-openvswitch
> > %{python_sitelib}/ovs
> > %doc COPYING
> > diff --git a/selinux/automake.mk b/selinux/automake.mk
> > new file mode 100644
> > index 0000000..1088f36
> > --- /dev/null
> > +++ b/selinux/automake.mk
> > @@ -0,0 +1,9 @@
> > +# Copyright (C) 2016 Nicira, Inc.
> > +#
> > +# Copying and distribution of this file, with or without modification,
> > +# are permitted in any medium without royalty provided the copyright
> > +# notice and this notice are preserved. This file is offered as-is,
> > +# without warranty of any kind.
> > +
> > +EXTRA_DIST += \
> > + selinux/openvswitch-custom.te
> > diff --git a/selinux/openvswitch-custom.te
> b/selinux/openvswitch-custom.te
> > new file mode 100644
> > index 0000000..fc32b97
> > --- /dev/null
> > +++ b/selinux/openvswitch-custom.te
> > @@ -0,0 +1,9 @@
> > +module openvswitch-custom 1.0;
> > +
> > +require {
> > + type openvswitch_t;
> > + class netlink_socket { setopt getopt create connect getattr
> write read };
> > +}
> > +
> > +#============= openvswitch_t ==============
> > +allow openvswitch_t self:netlink_socket { setopt getopt create connect
> getattr write read };
>
> There is a macro in Fedora 23 called create_socket_perms which expands to:
> { create ioctl read getattr lock write setattr append bind connect \
> getopt setopt shutdown }
>
> and Fedora is shipping the following line instead:
> allow openvswitch_t self:netlink_socket create_socket_perms;
>
> What I am saying is that your version is more restrictive and if you
> haven't tested all use-cases, there might be some still restricted.
>
> I am fine either way.
>
> Therefore, after fixing the Makefile issue:
>
> Acked-by: Flavio Leitner <f...@sysclose.org>
>
Thanks, I fixed Makefile and pushed it.
>
> Thanks!
> --
> fbl
>
>
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
