Commit bb3af1bf authored by Ansis Atteka's avatar Ansis Atteka Committed by Ansis Atteka

rhel: provide our own SELinux custom policy package

CentOS, RHEL and Fedora distributions ship with their own Open vSwitch
SELinux policy that is too strict and prevents Open vSwitch to work
normally out of the box.

As a solution, this patch introduces a new package which will "loosen"
up "openvswitch_t" SELinux domain so that Open vSwitch could operate
normally.

Intended use-cases of this package are:
1. to allow users to install newer Open vSwitch on already released Fedora,
RHEL and CentOS distributions where the default Open vSwitch SELinux policy
that shipped with the corresponding Linux distribution is not up to date
and did not anticipate that a newer Open vSwitch version might need to
invoke new system calls or need to access certain system resources that
it did not before; And
2. to provide alternative means through which Open vSwitch developers
can proactively fix SELinux related policy issues without waiting for
corresponding Linux distribution maintainers to update their central
Open vSwitch SELinux policy.

This patch was tested on Fedora 23 and CentOS 7. I verified that now
on Fedora 23 Open vSwitch can create a NetLink socket; and that I did
not see following error messages:

vlog|INFO|opened log file /var/log/openvswitch/ovs-vswitchd.log
ovs_numa|INFO|Discovered 2 CPU cores on NUMA node 0
ovs_numa|INFO|Discovered 1 NUMA nodes and 2 CPU cores
reconnect|INFO|unix:/var/run/openvswitch/db.sock: connecting...
reconnect|INFO|unix:/var/run/openvswitch/db.sock: connected
netlink_socket|ERR|fcntl: Permission denied
dpif_netlink|ERR|Generic Netlink family 'ovs_datapath' does not exist.
                 The Open vSwitch kernel module is p robably not loaded.
dpif|WARN|failed to enumerate system datapaths: Permission denied
dpif|WARN|failed to create datapath ovs-system: Permission denied

I did not test all Open vSwitch features so there still could be some
OVS configuration that would get "Permission denied" errors.

Since, Open vSwitch daemons on Ubuntu 15.10 by default run under "unconfined"
SELinux domain, then there is no need to create a similar debian package
for Ubuntu, because it works on default Ubuntu installation.
Signed-off-by: default avatarAnsis Atteka <aatteka@nicira.com>
Acked-by: default avatarFlavio Leitner <fbl@sysclose.com>
parent 389e302f
Running Open vSwitch under SELinux
==================================
Security-Enhanced Linux (SELinux) is a Linux kernel security
module that limits "the malicious things" that certain processes,
including OVS, can do to the system in case they get compromised.
In our case SELinux basically serves as the "second line of defense"
that limits the things that OVS processes are allowed to do. The
"first line of defense" is proper input validation that eliminates
code paths that could be used by attacker to do any sort of
"escape attacks" (e.g. file name escape, shell escape, command
line argument escape, buffer escape). Since developers don't
always implement proper input validation, then SELinux Access
Control's goal is to confine damage of such attacks, if they
turned out to be possible.
Besides Type Enforcement there are other SELinux
features, but they are out of scope for this document.
Currently there are two SELinux policies for Open vSwitch:
1. the one that ships with your Linux distribution (i.e.
selinux-policy-targeted package); And
2. the one that ships with OVS (i.e. openvswitch-selinux-policy
package).
Limitations
-----------
If Open vSwitch is directly started from command line, then it
will run under "unconfined_t" SELinux domain that basically lets
daemon to do whatever it likes. This is very important for developers
to understand, because they might introduced code in OVS that invokes
new system calls that SELinux policy did not anticipate. This means
that their feature may have worked out just fine for them. However,
if someone else would try to run the same code when Open vSwitch is
started through systemctl, then Open vSwitch would get Permission Denied
errors.
Currently the only distributions that enforce SELinux on OVS by
default are RHEL, CentOS and Fedora. While Ubuntu and Debian also
have some SELinux support, they run Open vSwitch under the unrestricted
"unconfined" domain. Also, it seems that Ubuntu is leaning towards
Apparmor that works slightly differently than SELinux.
SELinux and Open vSwitch are moving targets. What this means
is that, if you solely rely on your Linux distribution's SELinux policy,
then this policy might not have correctly anticipated that a newer
Open vSwitch version needs extra white list rules. However, if you
solely rely on SELinux policy that ships with Open vSwitch, then
Open vSwitch developers might not have correctly anticipated the
feature set that your SELinux implementation supports.
Installation
------------
Refer to [INSTALL.Fedora.md] for instructions on how to build all
Open vSwitch rpm packages.
Once the package is built, install it on your Linux distribution with:
# yum install openvswitch-selinux-policy-2.4.1-1.el7.centos.noarch.rpm
And, then restart Open vSwitch:
# systemctl restart openvswitch
Troubleshooting
---------------
When SELinux was implemented some of the standard system utilities
acquired "-Z" flag (e.g. "ps -Z", "ls -Z"). For example, to find out
under which SELinux security domain process runs, use:
# ps -AZ | grep ovs-vswitchd
system_u:system_r:openvswitch_t:s0 854 ? ovs-vswitchd
To find out the SELinux label of file or directory, use:
# ls -Z /etc/openvswitch/conf.db
system_u:object_r:openvswitch_rw_t:s0 /etc/openvswitch/conf.db
If, for example, SELinux policy for Open vSwitch is too strict,
then you might see in Open vSwitch log files "Permission Denied"
errors:
# cat /var/log/openvswitch/ovs-vswitchd.log
vlog|INFO|opened log file /var/log/openvswitch/ovs-vswitchd.log
ovs_numa|INFO|Discovered 2 CPU cores on NUMA node 0
ovs_numa|INFO|Discovered 1 NUMA nodes and 2 CPU cores
reconnect|INFO|unix:/var/run/openvswitch/db.sock: connecting...
reconnect|INFO|unix:/var/run/openvswitch/db.sock: connected
netlink_socket|ERR|fcntl: Permission denied
dpif_netlink|ERR|Generic Netlink family 'ovs_datapath' does not exist.
The Open vSwitch kernel module is probably not loaded.
dpif|WARN|failed to enumerate system datapaths: Permission denied
dpif|WARN|failed to create datapath ovs-system: Permission denied
However, not all "Permission denied" errors are caused by SELinux. So,
before blaming too strict SELinux policy, make sure that indeed SELinux
was the one that denied OVS access to certain resources, for example, run:
# grep "openvswitch_t" /var/log/audit/audit.log | tail
type=AVC msg=audit(1453235431.640:114671): avc: denied { getopt } for pid=4583 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=0
If SELinux denied OVS access to certain resources, then make sure that you
have installed our SELinux policy package that "loosens" up distribution's
SELinux policy:
# rpm -qa | grep openvswitch-selinux
openvswitch-selinux-policy-2.4.1-1.el7.centos.noarch
And, then verify that this module was indeed loaded:
# semodule -l | grep openvswitch
openvswitch-custom 1.0
openvswitch 1.1.1
If you still see Permission denied errors, then take a look
into selinux/openvswitch.te file in the OVS source tree and
try to add white list rules. This is really simple, just run
SELinux audit2allow tool:
# grep "openvswitch_t" /var/log/audit/audit.log | audit2allow -M ovslocal
See "Contributing SELinux policy patches" section, if you think
that other Open vSwitch users would benefit from your SELinux policy
changes.
Contributing SELinux policy patches
-----------------------------------
Here are few things to consider before proposing SELinux policy
patches to Open vSwitch developer mailing list:
1. The SELinux policy that resides in Open vSwitch source tree
amends SELinux policy that ships with your distributions.
Implications of this are that it is assumed that the distribution's
Open vSwitch SELinux module must be already loaded to satisfy
dependencies.
2. The SELinux policy that resides in Open vSwitch source tree
must work on all currently relevant Linux distributions.
Implications of this are that you should use only those SELinux
policy features that are supported by the lowest SELinux version
out there. Typically this means that you should test your SELinux
policy changes on the oldest RHEL or CentOS version that this
OVS version supports. Check INSTALL.Fedora.md file to find out
this.
3. The SELinux policy is enforced only when state transition to
openvswitch_t domain happens.
Implications of this are that perhaps instead of loosening SELinux
policy you can do certain things at the time rpm package is installed.
Reporting Bugs
--------------
Please report problems to bugs@openvswitch.org.
[INSTALL.md]:INSTALL.md
......@@ -79,6 +79,7 @@ docs = \
INSTALL.Libvirt.md \
INSTALL.NetBSD.md \
INSTALL.RHEL.md \
INSTALL.SELinux.md \
INSTALL.SSL.md \
INSTALL.XenServer.md \
INSTALL.userspace.md \
......@@ -399,3 +400,4 @@ include datapath-windows/automake.mk
include datapath-windows/include/automake.mk
include windows/automake.mk
include ovn/automake.mk
include selinux/automake.mk
......@@ -40,6 +40,8 @@ v2.5.0 - xx xxx xxxx
* Requires DPDK 2.2
* Added multiqueue support to vhost-user
* Note: QEMU 2.5+ required for multiqueue support
- SELinux:
* Introduced SELinux policy package.
v2.4.0 - 20 Aug 2015
---------------------
......
......@@ -97,6 +97,8 @@ To use Open vSwitch...
- ...without using a kernel module, read [INSTALL.userspace.md].
- ...with SELinux, read [INSTALL.SELinux.md].
For answers to common questions, read [FAQ.md].
To learn how to set up SSL support for Open vSwitch, read [INSTALL.SSL.md].
......
......@@ -46,6 +46,7 @@ BuildRequires: systemd-units openssl openssl-devel
BuildRequires: python python-twisted-core python-zope-interface PyQt4
BuildRequires: desktop-file-utils
BuildRequires: groff graphviz
BuildRequires: checkpolicy, selinux-policy-devel
# make check dependencies
BuildRequires: procps-ng
%if %{with libcapng}
......@@ -72,6 +73,15 @@ Open vSwitch provides standard network bridging functions and
support for the OpenFlow protocol for remote per-flow control of
traffic.
%package selinux-policy
Summary: Open vSwitch SELinux policy
License: ASL 2.0
BuildArch: noarch
Requires: selinux-policy-targeted
%description selinux-policy
Tailored Open vSwitch SELinux policy
%package -n python-openvswitch
Summary: Open vSwitch python bindings
License: ASL 2.0
......@@ -130,6 +140,8 @@ overlays and security groups.
--with-pkidir=%{_sharedstatedir}/openvswitch/pki
make %{?_smp_mflags}
cd selinux
make -f %{_datadir}/selinux/devel/Makefile
%install
rm -rf $RPM_BUILD_ROOT
......@@ -171,6 +183,9 @@ install -d -m 0755 $RPM_BUILD_ROOT/%{_sharedstatedir}/openvswitch
touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/conf.db
touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/system-id.conf
install -p -m 644 -D selinux/openvswitch-custom.pp \
$RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
# remove unpackaged files
rm -f $RPM_BUILD_ROOT%{_bindir}/ovs-benchmark \
$RPM_BUILD_ROOT%{_bindir}/ovs-parse-backtrace \
......@@ -246,6 +261,9 @@ rm -rf $RPM_BUILD_ROOT
fi
%endif
%post selinux-policy
/usr/sbin/semodule -i %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || :
%postun
%if 0%{?systemd_postun_with_restart:1}
%systemd_postun_with_restart %{name}.service
......@@ -272,6 +290,15 @@ rm -rf $RPM_BUILD_ROOT
fi
%endif
%postun selinux-policy
if [ $1 -eq 0 ] ; then
/usr/sbin/semodule -r openvswitch-custom &> /dev/null || :
fi
%files selinux-policy
%defattr(-,root,root)
%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
%files -n python-openvswitch
%{python_sitelib}/ovs
%doc COPYING
......
# Copyright (C) 2016 Nicira, Inc.
#
# Copying and distribution of this file, with or without modification,
# are permitted in any medium without royalty provided the copyright
# notice and this notice are preserved. This file is offered as-is,
# without warranty of any kind.
EXTRA_DIST += \
selinux/openvswitch-custom.te
module openvswitch-custom 1.0;
require {
type openvswitch_t;
class netlink_socket { setopt getopt create connect getattr write read };
}
#============= openvswitch_t ==============
allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read };
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment