[ovs-dev] selinux: Add missing permissions for ovs-kmod-ctl

Message ID 1546904899-26470-1-git-send-email-yihung.wei@gmail.com
State Accepted
Headers show
Series
  • [ovs-dev] selinux: Add missing permissions for ovs-kmod-ctl
Related show

Commit Message

Yi-Hung Wei Jan. 7, 2019, 11:48 p.m.
Starting from OVS 2.10, ovs-vswitchd may fail to run after system reboot
since it fails to load ovs kernel module.  It is because the conntrack
zone limit feature introduced in OVS 2.10 now depends on
nf_conntrack_ipv4/6 kernel module, and the SELinux prevents it to load the
two kernel modules.

Example log of the AVC violations:
    type=AVC msg=audit(1546903594.735:29): avc:  denied  { execute_no_trans }
    for  pid=820 comm="modprobe" path="/usr/bin/bash" dev="dm-0" ino=50337111
    scontext=system_u:system_r:openvswitch_load_module_t:s0
    tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

    type=AVC msg=audit(1546903594.791:30): avc:  denied  { module_request } for
    pid=819 comm="modprobe" kmod="nf_conntrack-2"
    scontext=system_u:system_r:openvswitch_load_module_t:s0
    tcontext=system_u:system_r:kernel_t:s0 tclass=system

This patch adds the missing permissions for modprobe command in ovs-kmod-ctl
so that the aforementioned issue is resolved.

VMWare-BZ: #2257534
Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com>
---
 selinux/openvswitch-custom.te.in | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

Comments

Aaron Conole Jan. 8, 2019, 3:26 p.m. | #1
Yi-Hung Wei <yihung.wei@gmail.com> writes:

> Starting from OVS 2.10, ovs-vswitchd may fail to run after system reboot
> since it fails to load ovs kernel module.  It is because the conntrack
> zone limit feature introduced in OVS 2.10 now depends on
> nf_conntrack_ipv4/6 kernel module, and the SELinux prevents it to load the
> two kernel modules.
>
> Example log of the AVC violations:
>     type=AVC msg=audit(1546903594.735:29): avc:  denied  { execute_no_trans }
>     for  pid=820 comm="modprobe" path="/usr/bin/bash" dev="dm-0" ino=50337111
>     scontext=system_u:system_r:openvswitch_load_module_t:s0
>     tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
>
>     type=AVC msg=audit(1546903594.791:30): avc:  denied  { module_request } for
>     pid=819 comm="modprobe" kmod="nf_conntrack-2"
>     scontext=system_u:system_r:openvswitch_load_module_t:s0
>     tcontext=system_u:system_r:kernel_t:s0 tclass=system
>
> This patch adds the missing permissions for modprobe command in ovs-kmod-ctl
> so that the aforementioned issue is resolved.
>
> VMWare-BZ: #2257534
> Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com>
> ---

Good catch.

Acked-by: Aaron Conole <aconole@redhat.com>
Ben Pfaff Jan. 18, 2019, 10:04 p.m. | #2
On Tue, Jan 08, 2019 at 10:26:10AM -0500, Aaron Conole wrote:
> Yi-Hung Wei <yihung.wei@gmail.com> writes:
> 
> > Starting from OVS 2.10, ovs-vswitchd may fail to run after system reboot
> > since it fails to load ovs kernel module.  It is because the conntrack
> > zone limit feature introduced in OVS 2.10 now depends on
> > nf_conntrack_ipv4/6 kernel module, and the SELinux prevents it to load the
> > two kernel modules.
> >
> > Example log of the AVC violations:
> >     type=AVC msg=audit(1546903594.735:29): avc:  denied  { execute_no_trans }
> >     for  pid=820 comm="modprobe" path="/usr/bin/bash" dev="dm-0" ino=50337111
> >     scontext=system_u:system_r:openvswitch_load_module_t:s0
> >     tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
> >
> >     type=AVC msg=audit(1546903594.791:30): avc:  denied  { module_request } for
> >     pid=819 comm="modprobe" kmod="nf_conntrack-2"
> >     scontext=system_u:system_r:openvswitch_load_module_t:s0
> >     tcontext=system_u:system_r:kernel_t:s0 tclass=system
> >
> > This patch adds the missing permissions for modprobe command in ovs-kmod-ctl
> > so that the aforementioned issue is resolved.
> >
> > VMWare-BZ: #2257534
> > Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com>
> > ---
> 
> Good catch.
> 
> Acked-by: Aaron Conole <aconole@redhat.com>

Thanks, Yi-hung (and Aaron).  I applied this to master and branch-2.10.

Patch

diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in
index 4a16e5eefdf7..26495828a655 100644
--- a/selinux/openvswitch-custom.te.in
+++ b/selinux/openvswitch-custom.te.in
@@ -16,6 +16,7 @@  require {
         type init_t;
         type init_var_run_t;
         type insmod_exec_t;
+        type kernel_t;
         type hostname_exec_t;
         type modules_conf_t;
         type modules_object_t;
@@ -32,7 +33,6 @@  require {
 
 @begin_dpdk@
         type hugetlbfs_t;
-        type kernel_t;
         type svirt_t;
         type svirt_image_t;
         type svirt_tmpfs_t;
@@ -51,7 +51,7 @@  require {
         class netlink_audit_socket { create nlmsg_relay audit_write read write };
         class netlink_socket { setopt getopt create connect getattr write read };
         class sock_file { write };
-        class system module_load;
+        class system { module_load module_request };
         class process { sigchld signull transition noatsecure siginh rlimitinh };
         class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom ioctl };
 
@@ -110,6 +110,7 @@  allow openvswitch_load_module_t bin_t:file { execute execute_no_trans map };
 allow openvswitch_load_module_t init_t:unix_stream_socket { getattr ioctl read write };
 allow openvswitch_load_module_t init_var_run_t:dir { getattr read open search };
 allow openvswitch_load_module_t insmod_exec_t:file { execute execute_no_trans getattr map open read };
+allow openvswitch_load_module_t kernel_t:system module_request;
 allow openvswitch_load_module_t modules_conf_t:dir { getattr open read search };
 allow openvswitch_load_module_t modules_conf_t:file { getattr open read };
 allow openvswitch_load_module_t modules_object_t:file { map getattr open read };
@@ -120,7 +121,7 @@  allow openvswitch_load_module_t plymouth_exec_t:file { getattr read open execute
 allow openvswitch_load_module_t proc_t:file { getattr open read };
 allow openvswitch_load_module_t self:system module_load;
 allow openvswitch_load_module_t self:process { siginh noatsecure rlimitinh siginh };
-allow openvswitch_load_module_t shell_exec_t:file { map execute read open getattr };
+allow openvswitch_load_module_t shell_exec_t:file { map execute execute_no_trans read open getattr };
 allow openvswitch_load_module_t sssd_public_t:dir { getattr open read search };
 allow openvswitch_load_module_t sssd_public_t:file { getattr map open read };
 allow openvswitch_load_module_t sssd_t:unix_stream_socket connectto;