| Message ID | 1455586825-65307-1-git-send-email-ansisatteka@gmail.com |
|---|---|
| State | Accepted |
| Headers | show |
Thanks for this work, Ansis! Ansis Atteka <ansisatteka@gmail.com> writes: > From: Ansis Atteka <aatteka@nicira.com> > > CentOS, RHEL and Fedora distributions ship with their own Open vSwitch > SELinux policy that is too strict and prevents Open vSwitch to work > normally out of the box. > > As a solution, this patch introduces a new package which will "loosen" > up "openvswitch_t" SELinux domain so that Open vSwitch could operate > normally. > > Intended use-cases of this package are: > 1. to allow users to install newer Open vSwitch on already released Fedora, > RHEL and CentOS distributions where the default Open vSwitch SELinux policy > that shipped with the corresponding Linux distribution is not up to date > and did not anticipate that a newer Open vSwitch version might need to > invoke new system calls or need to access certain system resources that > it did not before; And > 2. to provide alternative means through which Open vSwitch developers > can proactively fix SELinux related policy issues without waiting for > corresponding Linux distribution maintainers to update their central > Open vSwitch SELinux policy. > > This patch was tested on Fedora 23 and CentOS 7. I verified that now > on Fedora 23 Open vSwitch can create a NetLink socket; and that I did > not see following error messages: > > vlog|INFO|opened log file /var/log/openvswitch/ovs-vswitchd.log > ovs_numa|INFO|Discovered 2 CPU cores on NUMA node 0 > ovs_numa|INFO|Discovered 1 NUMA nodes and 2 CPU cores > reconnect|INFO|unix:/var/run/openvswitch/db.sock: connecting... > reconnect|INFO|unix:/var/run/openvswitch/db.sock: connected > netlink_socket|ERR|fcntl: Permission denied > dpif_netlink|ERR|Generic Netlink family 'ovs_datapath' does not exist. > The Open vSwitch kernel module is p robably not loaded. > dpif|WARN|failed to enumerate system datapaths: Permission denied > dpif|WARN|failed to create datapath ovs-system: Permission denied > > I did not test all Open vSwitch features so there still could be some > OVS configuration that would get "Permission denied" errors. > > Since, Open vSwitch daemons on Ubuntu 15.10 by default run under "unconfined" > SELinux domain, then there is no need to create a similar debian package > for Ubuntu, because it works on default Ubuntu installation. > > Signed-Off-By: Ansis Atteka <aatteka@nicira.com> > --- > INSTALL.SELinux.md | 166 ++++++++++++++++++++++++++++++++++++++++ > Makefile.am | 2 + > README.md | 2 + > rhel/openvswitch-fedora.spec.in | 27 +++++++ > selinux/automake.mk | 9 +++ > selinux/openvswitch-custom.te | 9 +++ > 6 files changed, 215 insertions(+) > create mode 100644 INSTALL.SELinux.md > create mode 100644 selinux/automake.mk > create mode 100644 selinux/openvswitch-custom.te > > diff --git a/INSTALL.SELinux.md b/INSTALL.SELinux.md > new file mode 100644 > index 0000000..dc93d6d > --- /dev/null > +++ b/INSTALL.SELinux.md > @@ -0,0 +1,166 @@ > +Running Open vSwitch under SELinux > +================================== > + > +Security-Enhanced Linux (SELinux) is a Linux kernel security > +module that limits "the malicious things" that certain processes, > +including OVS, can do to the system in case they get compromised. > +In our case SELinux basically serves as the "second line of defense" > +that limits the things that OVS processes are allowed to do. The > +"first line of defense" is proper input validation that eliminates > +code paths that could be used by attacker to do any sort of > +"escape attacks" (e.g. file name escape, shell escape, command > +line argument escape, buffer escape). Since developers don't > +always implement proper input validation, then SELinux Access > +Control's goal is to confine damage of such attacks, if they > +turned out to be possible. > + > +Besides Type Enforcement there are other SELinux > +features, but they are out of scope for this document. > + > +Currently there are two SELinux policies for Open vSwitch: > +1. the one that ships with your Linux distribution (i.e. > + selinux-policy-targeted package); And > +2. the one that ships with OVS (i.e. openvswitch-selinux-policy > + package). > + > + > +Limitations > +----------- > + > +If Open vSwitch is directly started from command line, then it > +will run under "unconfined_t" SELinux domain that basically lets > +daemon to do whatever it likes. This is very important for developers > +to understand, because they might introduced code in OVS that invokes > +new system calls that SELinux policy did not anticipate. This means > +that their feature may have worked out just fine for them. However, > +if someone else would try to run the same code when Open vSwitch is > +started through systemctl, then Open vSwitch would get Permission Denied > +errors. > + > +Currently the only distributions that enforce SELinux on OVS by > +default are RHEL, CentOS and Fedora. While Ubuntu and Debian also > +have some SELinux support, they run Open vSwitch under the unrestricted > +"unconfined" domain. Also, it seems that Ubuntu is leaning towards > +Apparmor that works slightly differently than SELinux. > + > +SELinux and Open vSwitch are moving targets. What this means > +is that, if you solely rely on your Linux distribution's SELinux policy, > +then this policy might not have correctly anticipated that a newer > +Open vSwitch version needs extra white list rules. However, if you > +solely rely on SELinux policy that ships with Open vSwitch, then > +Open vSwitch developers might not have correctly anticipated the > +feature set that your SELinux implementation supports. > + > + > +Installation > +------------ > + > +Refer to [INSTALL.Fedora.md] for instructions on how to build all > +Open vSwitch rpm packages. > + > +Once the package is built, install it on your Linux distribution with: > + > + # yum install openvswitch-selinux-policy-2.4.1-1.el7.centos.noarch.rpm > + > +And, then restart Open vSwitch: > + > + # systemctl restart openvswitch > + > + > +Troubleshooting > +--------------- > + > +When SELinux was implemented some of the standard system utilities > +acquired "-Z" flag (e.g. "ps -Z", "ls -Z"). For example, to find out > +under which SELinux security domain process runs, use: > + > + # ps -AZ | grep ovs-vswitchd > + system_u:system_r:openvswitch_t:s0 854 ? ovs-vswitchd > + > +To find out the SELinux label of file or directory, use: > + > + # ls -Z /etc/openvswitch/conf.db > + system_u:object_r:openvswitch_rw_t:s0 /etc/openvswitch/conf.db > + > + > +If, for example, SELinux policy for Open vSwitch is too strict, > +then you might see in Open vSwitch log files "Permission Denied" > +errors: > + > + # cat /var/log/openvswitch/ovs-vswitchd.log > + vlog|INFO|opened log file /var/log/openvswitch/ovs-vswitchd.log > + ovs_numa|INFO|Discovered 2 CPU cores on NUMA node 0 > + ovs_numa|INFO|Discovered 1 NUMA nodes and 2 CPU cores > + reconnect|INFO|unix:/var/run/openvswitch/db.sock: connecting... > + reconnect|INFO|unix:/var/run/openvswitch/db.sock: connected > + netlink_socket|ERR|fcntl: Permission denied > + dpif_netlink|ERR|Generic Netlink family 'ovs_datapath' does not exist. > + The Open vSwitch kernel module is probably not loaded. > + dpif|WARN|failed to enumerate system datapaths: Permission denied > + dpif|WARN|failed to create datapath ovs-system: Permission denied > + > + > + > +However, not all "Permission denied" errors are caused by SELinux. So, > +before blaming too strict SELinux policy, make sure that indeed SELinux > +was the one that denied OVS access to certain resources, for example, run: > + > + # grep "openvswitch_t" /var/log/audit/audit.log | tail > + type=AVC msg=audit(1453235431.640:114671): avc: denied { getopt } for pid=4583 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=0 > + > + > +If SELinux denied OVS access to certain resources, then make sure that you > +have installed our SELinux policy package that "loosens" up distribution's > +SELinux policy: > + > + # rpm -qa | grep openvswitch-selinux > + openvswitch-selinux-policy-2.4.1-1.el7.centos.noarch > + > +And, then verify that this module was indeed loaded: > + > + # semodule -l | grep openvswitch > + openvswitch-custom 1.0 > + openvswitch 1.1.1 > + > +If you still see Permission denied errors, then take a look > +into selinux/openvswitch.te file in the OVS source tree and > +try to add white list rules. This is really simple, just run > +SELinux audit2allow tool: > + > + # grep "openvswitch_t" /var/log/audit/audit.log | audit2allow -M ovslocal Should this also state to report the issue as a bug to dev@openvswitch.org? Maybe it's out of scope? I don't know. This is good information definitely. > +Contributing SELinux policy patches > +----------------------------------- > + > +Here are few things to consider before proposing SELinux policy > +patches to Open vSwitch developer mailing list: > + > +1. The SELinux policy that resides in Open vSwitch source tree > + amends SELinux policy that ships with your distributions. > + > + Implications of this are that it is assumed that the distribution's > + Open vSwitch SELinux module must be already loaded to satisfy > + dependencies. > + > +2. The SELinux policy that resides in Open vSwitch source tree > + must work on all currently relevant Linux distributions. > + > + Implications of this are that you should use only those SELinux > + policy features that are supported by the lowest SELinux version > + out there. Maybe there should just be an explicit version to use, which can be bumped. Otherwise it's very difficult to figure out which version can be used. > +3. The SELinux policy is enforced only when state transition to > + openvswitch_t domain happens. > + > + Implications of this are that perhaps instead of loosening SELinux > + policy you can do certain things at the time rpm package is installed. > + > + > + > +Reporting Bugs > +-------------- > + > +Please report problems to bugs@openvswitch.org. > + > +[INSTALL.md]:INSTALL.md > diff --git a/Makefile.am b/Makefile.am > index 75ccadf..a71a4d6 100644 > --- a/Makefile.am > +++ b/Makefile.am > @@ -79,6 +79,7 @@ docs = \ > INSTALL.Libvirt.md \ > INSTALL.NetBSD.md \ > INSTALL.RHEL.md \ > + INSTALL.SELinux.md \ > INSTALL.SSL.md \ > INSTALL.XenServer.md \ > INSTALL.userspace.md \ > @@ -431,3 +432,4 @@ include datapath-windows/automake.mk > include datapath-windows/include/automake.mk > include windows/automake.mk > include ovn/automake.mk > +include selinux/automake.mk > diff --git a/README.md b/README.md > index b590928..82065c7 100644 > --- a/README.md > +++ b/README.md > @@ -97,6 +97,8 @@ To use Open vSwitch... > > - ...without using a kernel module, read [INSTALL.userspace.md]. > > +- ...with SELinux, read [INSTALL.SELinux.md]. > + > For answers to common questions, read [FAQ.md]. > > To learn how to set up SSL support for Open vSwitch, read [INSTALL.SSL.md]. > diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in > index 00e491b..c018370 100644 > --- a/rhel/openvswitch-fedora.spec.in > +++ b/rhel/openvswitch-fedora.spec.in > @@ -46,6 +46,7 @@ BuildRequires: systemd-units openssl openssl-devel > BuildRequires: python python-twisted-core python-zope-interface PyQt4 python-six > BuildRequires: desktop-file-utils > BuildRequires: groff graphviz > +BuildRequires: checkpolicy, selinux-policy-devel > # make check dependencies > BuildRequires: procps-ng > %if %{with libcapng} > @@ -72,6 +73,15 @@ Open vSwitch provides standard network bridging functions and > support for the OpenFlow protocol for remote per-flow control of > traffic. > > +%package selinux-policy > +Summary: Open vSwitch SELinux policy > +License: ASL 2.0 > +BuildArch: noarch > +Requires: selinux-policy-targeted > + > +%description selinux-policy > +Tailored Open vSwitch SELinux policy > + > %package -n python-openvswitch > Summary: Open vSwitch python bindings > License: ASL 2.0 > @@ -131,6 +141,8 @@ overlays and security groups. > --with-pkidir=%{_sharedstatedir}/openvswitch/pki > > make %{?_smp_mflags} > +cd selinux > +make -f %{_datadir}/selinux/devel/Makefile > > %install > rm -rf $RPM_BUILD_ROOT > @@ -172,6 +184,9 @@ install -d -m 0755 $RPM_BUILD_ROOT/%{_sharedstatedir}/openvswitch > touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/conf.db > touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/system-id.conf > > +install -p -m 644 -D selinux/openvswitch-custom.pp \ > + $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp > + > # remove unpackaged files > rm -f $RPM_BUILD_ROOT%{_bindir}/ovs-parse-backtrace \ > $RPM_BUILD_ROOT%{_bindir}/ovs-pcap \ > @@ -245,6 +260,9 @@ rm -rf $RPM_BUILD_ROOT > fi > %endif > > +%post selinux-policy > +/usr/sbin/semodule -i %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || : > + > %postun > %if 0%{?systemd_postun_with_restart:1} > %systemd_postun_with_restart %{name}.service > @@ -271,6 +289,15 @@ rm -rf $RPM_BUILD_ROOT > fi > %endif > > +%postun selinux-policy > +if [ $1 -eq 0 ] ; then > + /usr/sbin/semodule -r openvswitch-custom &> /dev/null || : > +fi > + > +%files selinux-policy > +%defattr(-,root,root) > +%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp > + > %files -n python-openvswitch > %{python_sitelib}/ovs > %doc COPYING > diff --git a/selinux/automake.mk b/selinux/automake.mk > new file mode 100644 > index 0000000..1088f36 > --- /dev/null > +++ b/selinux/automake.mk > @@ -0,0 +1,9 @@ > +# Copyright (C) 2016 Nicira, Inc. > +# > +# Copying and distribution of this file, with or without modification, > +# are permitted in any medium without royalty provided the copyright > +# notice and this notice are preserved. This file is offered as-is, > +# without warranty of any kind. > + > +EXTRA_DIST += \ > + selinux/openvswitch-custom.te > diff --git a/selinux/openvswitch-custom.te b/selinux/openvswitch-custom.te > new file mode 100644 > index 0000000..fc32b97 > --- /dev/null > +++ b/selinux/openvswitch-custom.te > @@ -0,0 +1,9 @@ > +module openvswitch-custom 1.0; > + > +require { > + type openvswitch_t; > + class netlink_socket { setopt getopt create connect getattr write read }; > +} > + > +#============= openvswitch_t ============== > +allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read }; Should any of the dpdk requirements go in at this time, or should that be considered future work (ie: hugepage access, etc.)? I know that dpdk will become non-experimental in the future, and before that happens this should be known.
On 16 February 2016 at 07:33, Aaron Conole <aconole@redhat.com> wrote: > Thanks for this work, Ansis! > > Ansis Atteka <ansisatteka@gmail.com> writes: > > > From: Ansis Atteka <aatteka@nicira.com> > > > > CentOS, RHEL and Fedora distributions ship with their own Open vSwitch > > SELinux policy that is too strict and prevents Open vSwitch to work > > normally out of the box. > > > > As a solution, this patch introduces a new package which will "loosen" > > up "openvswitch_t" SELinux domain so that Open vSwitch could operate > > normally. > > > > Intended use-cases of this package are: > > 1. to allow users to install newer Open vSwitch on already released > Fedora, > > RHEL and CentOS distributions where the default Open vSwitch SELinux > policy > > that shipped with the corresponding Linux distribution is not up to date > > and did not anticipate that a newer Open vSwitch version might need to > > invoke new system calls or need to access certain system resources that > > it did not before; And > > 2. to provide alternative means through which Open vSwitch developers > > can proactively fix SELinux related policy issues without waiting for > > corresponding Linux distribution maintainers to update their central > > Open vSwitch SELinux policy. > > > > This patch was tested on Fedora 23 and CentOS 7. I verified that now > > on Fedora 23 Open vSwitch can create a NetLink socket; and that I did > > not see following error messages: > > > > vlog|INFO|opened log file /var/log/openvswitch/ovs-vswitchd.log > > ovs_numa|INFO|Discovered 2 CPU cores on NUMA node 0 > > ovs_numa|INFO|Discovered 1 NUMA nodes and 2 CPU cores > > reconnect|INFO|unix:/var/run/openvswitch/db.sock: connecting... > > reconnect|INFO|unix:/var/run/openvswitch/db.sock: connected > > netlink_socket|ERR|fcntl: Permission denied > > dpif_netlink|ERR|Generic Netlink family 'ovs_datapath' does not exist. > > The Open vSwitch kernel module is p robably not loaded. > > dpif|WARN|failed to enumerate system datapaths: Permission denied > > dpif|WARN|failed to create datapath ovs-system: Permission denied > > > > I did not test all Open vSwitch features so there still could be some > > OVS configuration that would get "Permission denied" errors. > > > > Since, Open vSwitch daemons on Ubuntu 15.10 by default run under > "unconfined" > > SELinux domain, then there is no need to create a similar debian package > > for Ubuntu, because it works on default Ubuntu installation. > > > > Signed-Off-By: Ansis Atteka <aatteka@nicira.com> > > --- > > INSTALL.SELinux.md | 166 > ++++++++++++++++++++++++++++++++++++++++ > > Makefile.am | 2 + > > README.md | 2 + > > rhel/openvswitch-fedora.spec.in | 27 +++++++ > > selinux/automake.mk | 9 +++ > > selinux/openvswitch-custom.te | 9 +++ > > 6 files changed, 215 insertions(+) > > create mode 100644 INSTALL.SELinux.md > > create mode 100644 selinux/automake.mk > > create mode 100644 selinux/openvswitch-custom.te > > > > diff --git a/INSTALL.SELinux.md b/INSTALL.SELinux.md > > new file mode 100644 > > index 0000000..dc93d6d > > --- /dev/null > > +++ b/INSTALL.SELinux.md > > @@ -0,0 +1,166 @@ > > +Running Open vSwitch under SELinux > > +================================== > > + > > +Security-Enhanced Linux (SELinux) is a Linux kernel security > > +module that limits "the malicious things" that certain processes, > > +including OVS, can do to the system in case they get compromised. > > +In our case SELinux basically serves as the "second line of defense" > > +that limits the things that OVS processes are allowed to do. The > > +"first line of defense" is proper input validation that eliminates > > +code paths that could be used by attacker to do any sort of > > +"escape attacks" (e.g. file name escape, shell escape, command > > +line argument escape, buffer escape). Since developers don't > > +always implement proper input validation, then SELinux Access > > +Control's goal is to confine damage of such attacks, if they > > +turned out to be possible. > > + > > +Besides Type Enforcement there are other SELinux > > +features, but they are out of scope for this document. > > + > > +Currently there are two SELinux policies for Open vSwitch: > > +1. the one that ships with your Linux distribution (i.e. > > + selinux-policy-targeted package); And > > +2. the one that ships with OVS (i.e. openvswitch-selinux-policy > > + package). > > + > > + > > +Limitations > > +----------- > > + > > +If Open vSwitch is directly started from command line, then it > > +will run under "unconfined_t" SELinux domain that basically lets > > +daemon to do whatever it likes. This is very important for developers > > +to understand, because they might introduced code in OVS that invokes > > +new system calls that SELinux policy did not anticipate. This means > > +that their feature may have worked out just fine for them. However, > > +if someone else would try to run the same code when Open vSwitch is > > +started through systemctl, then Open vSwitch would get Permission Denied > > +errors. > > + > > +Currently the only distributions that enforce SELinux on OVS by > > +default are RHEL, CentOS and Fedora. While Ubuntu and Debian also > > +have some SELinux support, they run Open vSwitch under the unrestricted > > +"unconfined" domain. Also, it seems that Ubuntu is leaning towards > > +Apparmor that works slightly differently than SELinux. > > + > > +SELinux and Open vSwitch are moving targets. What this means > > +is that, if you solely rely on your Linux distribution's SELinux policy, > > +then this policy might not have correctly anticipated that a newer > > +Open vSwitch version needs extra white list rules. However, if you > > +solely rely on SELinux policy that ships with Open vSwitch, then > > +Open vSwitch developers might not have correctly anticipated the > > +feature set that your SELinux implementation supports. > > + > > + > > +Installation > > +------------ > > + > > +Refer to [INSTALL.Fedora.md] for instructions on how to build all > > +Open vSwitch rpm packages. > > + > > +Once the package is built, install it on your Linux distribution with: > > + > > + # yum install > openvswitch-selinux-policy-2.4.1-1.el7.centos.noarch.rpm > > + > > +And, then restart Open vSwitch: > > + > > + # systemctl restart openvswitch > > + > > + > > +Troubleshooting > > +--------------- > > + > > +When SELinux was implemented some of the standard system utilities > > +acquired "-Z" flag (e.g. "ps -Z", "ls -Z"). For example, to find out > > +under which SELinux security domain process runs, use: > > + > > + # ps -AZ | grep ovs-vswitchd > > + system_u:system_r:openvswitch_t:s0 854 ? ovs-vswitchd > > + > > +To find out the SELinux label of file or directory, use: > > + > > + # ls -Z /etc/openvswitch/conf.db > > + system_u:object_r:openvswitch_rw_t:s0 /etc/openvswitch/conf.db > > + > > + > > +If, for example, SELinux policy for Open vSwitch is too strict, > > +then you might see in Open vSwitch log files "Permission Denied" > > +errors: > > + > > + # cat /var/log/openvswitch/ovs-vswitchd.log > > + vlog|INFO|opened log file /var/log/openvswitch/ovs-vswitchd.log > > + ovs_numa|INFO|Discovered 2 CPU cores on NUMA node 0 > > + ovs_numa|INFO|Discovered 1 NUMA nodes and 2 CPU cores > > + reconnect|INFO|unix:/var/run/openvswitch/db.sock: connecting... > > + reconnect|INFO|unix:/var/run/openvswitch/db.sock: connected > > + netlink_socket|ERR|fcntl: Permission denied > > + dpif_netlink|ERR|Generic Netlink family 'ovs_datapath' does not > exist. > > + The Open vSwitch kernel module is probably not > loaded. > > + dpif|WARN|failed to enumerate system datapaths: Permission denied > > + dpif|WARN|failed to create datapath ovs-system: Permission denied > > + > > + > > + > > +However, not all "Permission denied" errors are caused by SELinux. So, > > +before blaming too strict SELinux policy, make sure that indeed SELinux > > +was the one that denied OVS access to certain resources, for example, > run: > > + > > + # grep "openvswitch_t" /var/log/audit/audit.log | tail > > + type=AVC msg=audit(1453235431.640:114671): avc: denied { getopt } > for pid=4583 comm="ovs-vswitchd" > scontext=system_u:system_r:openvswitch_t:s0 > tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket > permissive=0 > > + > > + > > +If SELinux denied OVS access to certain resources, then make sure that > you > > +have installed our SELinux policy package that "loosens" up > distribution's > > +SELinux policy: > > + > > + # rpm -qa | grep openvswitch-selinux > > + openvswitch-selinux-policy-2.4.1-1.el7.centos.noarch > > + > > +And, then verify that this module was indeed loaded: > > + > > + # semodule -l | grep openvswitch > > + openvswitch-custom 1.0 > > + openvswitch 1.1.1 > > + > > +If you still see Permission denied errors, then take a look > > +into selinux/openvswitch.te file in the OVS source tree and > > +try to add white list rules. This is really simple, just run > > +SELinux audit2allow tool: > > + > > + # grep "openvswitch_t" /var/log/audit/audit.log | audit2allow -M > ovslocal > > Should this also state to report the issue as a bug to > dev@openvswitch.org? Maybe it's out of scope? I don't know. This is good > information definitely. > Yes, I think we should be more explicit that contributions to SELinux policy are welcome. How about: See "Contributing SELinux policy patches" section, if you think that other Open vSwitch users would benefit from this change. > > > +Contributing SELinux policy patches > > +----------------------------------- > > + > > +Here are few things to consider before proposing SELinux policy > > +patches to Open vSwitch developer mailing list: > > + > > +1. The SELinux policy that resides in Open vSwitch source tree > > + amends SELinux policy that ships with your distributions. > > + > > + Implications of this are that it is assumed that the distribution's > > + Open vSwitch SELinux module must be already loaded to satisfy > > + dependencies. > > + > > +2. The SELinux policy that resides in Open vSwitch source tree > > + must work on all currently relevant Linux distributions. > > + > > + Implications of this are that you should use only those SELinux > > + policy features that are supported by the lowest SELinux version > > + out there. > > Maybe there should just be an explicit version to use, which can be > bumped. Otherwise it's very difficult to figure out which version can be > used. > I did not want to put specific SELinux version in this file because that would imply that someone has to make sure it does not get out dated. So, how about replacing the last paragraph with: Implications of this are that you should use only those SELinux policy features that are supported by the lowest relevant SELinux version out there. Typically this means that you should test your SELinux policy changes on the oldest RHEL or CentOS version that this OVS version supports. Check INSTALL.Fedora.md file to find out this. > > > > +3. The SELinux policy is enforced only when state transition to > > + openvswitch_t domain happens. > > + > > + Implications of this are that perhaps instead of loosening SELinux > > + policy you can do certain things at the time rpm package is > installed. > > + > > + > > + > > +Reporting Bugs > > +-------------- > > + > > +Please report problems to bugs@openvswitch.org. > > + > > +[INSTALL.md]:INSTALL.md > > diff --git a/Makefile.am b/Makefile.am > > index 75ccadf..a71a4d6 100644 > > --- a/Makefile.am > > +++ b/Makefile.am > > @@ -79,6 +79,7 @@ docs = \ > > INSTALL.Libvirt.md \ > > INSTALL.NetBSD.md \ > > INSTALL.RHEL.md \ > > + INSTALL.SELinux.md \ > > INSTALL.SSL.md \ > > INSTALL.XenServer.md \ > > INSTALL.userspace.md \ > > @@ -431,3 +432,4 @@ include datapath-windows/automake.mk > > include datapath-windows/include/automake.mk > > include windows/automake.mk > > include ovn/automake.mk > > +include selinux/automake.mk > > diff --git a/README.md b/README.md > > index b590928..82065c7 100644 > > --- a/README.md > > +++ b/README.md > > @@ -97,6 +97,8 @@ To use Open vSwitch... > > > > - ...without using a kernel module, read [INSTALL.userspace.md]. > > > > +- ...with SELinux, read [INSTALL.SELinux.md]. > > + > > For answers to common questions, read [FAQ.md]. > > > > To learn how to set up SSL support for Open vSwitch, read [ > INSTALL.SSL.md]. > > diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/ > openvswitch-fedora.spec.in > > index 00e491b..c018370 100644 > > --- a/rhel/openvswitch-fedora.spec.in > > +++ b/rhel/openvswitch-fedora.spec.in > > @@ -46,6 +46,7 @@ BuildRequires: systemd-units openssl openssl-devel > > BuildRequires: python python-twisted-core python-zope-interface PyQt4 > python-six > > BuildRequires: desktop-file-utils > > BuildRequires: groff graphviz > > +BuildRequires: checkpolicy, selinux-policy-devel > > # make check dependencies > > BuildRequires: procps-ng > > %if %{with libcapng} > > @@ -72,6 +73,15 @@ Open vSwitch provides standard network bridging > functions and > > support for the OpenFlow protocol for remote per-flow control of > > traffic. > > > > +%package selinux-policy > > +Summary: Open vSwitch SELinux policy > > +License: ASL 2.0 > > +BuildArch: noarch > > +Requires: selinux-policy-targeted > > + > > +%description selinux-policy > > +Tailored Open vSwitch SELinux policy > > + > > %package -n python-openvswitch > > Summary: Open vSwitch python bindings > > License: ASL 2.0 > > @@ -131,6 +141,8 @@ overlays and security groups. > > --with-pkidir=%{_sharedstatedir}/openvswitch/pki > > > > make %{?_smp_mflags} > > +cd selinux > > +make -f %{_datadir}/selinux/devel/Makefile > > > > %install > > rm -rf $RPM_BUILD_ROOT > > @@ -172,6 +184,9 @@ install -d -m 0755 > $RPM_BUILD_ROOT/%{_sharedstatedir}/openvswitch > > touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/conf.db > > touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/system-id.conf > > > > +install -p -m 644 -D selinux/openvswitch-custom.pp \ > > + > $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp > > + > > # remove unpackaged files > > rm -f $RPM_BUILD_ROOT%{_bindir}/ovs-parse-backtrace \ > > $RPM_BUILD_ROOT%{_bindir}/ovs-pcap \ > > @@ -245,6 +260,9 @@ rm -rf $RPM_BUILD_ROOT > > fi > > %endif > > > > +%post selinux-policy > > +/usr/sbin/semodule -i > %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || : > > + > > %postun > > %if 0%{?systemd_postun_with_restart:1} > > %systemd_postun_with_restart %{name}.service > > @@ -271,6 +289,15 @@ rm -rf $RPM_BUILD_ROOT > > fi > > %endif > > > > +%postun selinux-policy > > +if [ $1 -eq 0 ] ; then > > + /usr/sbin/semodule -r openvswitch-custom &> /dev/null || : > > +fi > > + > > +%files selinux-policy > > +%defattr(-,root,root) > > +%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp > > + > > %files -n python-openvswitch > > %{python_sitelib}/ovs > > %doc COPYING > > diff --git a/selinux/automake.mk b/selinux/automake.mk > > new file mode 100644 > > index 0000000..1088f36 > > --- /dev/null > > +++ b/selinux/automake.mk > > @@ -0,0 +1,9 @@ > > +# Copyright (C) 2016 Nicira, Inc. > > +# > > +# Copying and distribution of this file, with or without modification, > > +# are permitted in any medium without royalty provided the copyright > > +# notice and this notice are preserved. This file is offered as-is, > > +# without warranty of any kind. > > + > > +EXTRA_DIST += \ > > + selinux/openvswitch-custom.te > > diff --git a/selinux/openvswitch-custom.te > b/selinux/openvswitch-custom.te > > new file mode 100644 > > index 0000000..fc32b97 > > --- /dev/null > > +++ b/selinux/openvswitch-custom.te > > @@ -0,0 +1,9 @@ > > +module openvswitch-custom 1.0; > > + > > +require { > > + type openvswitch_t; > > + class netlink_socket { setopt getopt create connect getattr > write read }; > > +} > > + > > +#============= openvswitch_t ============== > > +allow openvswitch_t self:netlink_socket { setopt getopt create connect > getattr write read }; > > Should any of the dpdk requirements go in at this time, or should that > be considered future work (ie: hugepage access, etc.)? I know that dpdk > will become non-experimental in the future, and before that happens this > should be known. > I imagined that we should add all DPDK (and other) related white list rules in separate patches. Here is my not so significant reasoning behind this: 1. If we keep this initial patch simple it may be simpler to backport it to older OVS branches without having to cut out DPDK part that may not apply to older OVS versions. 2. git-blame could be used to find out origin of each SELinux line, if patches are introduced separately for each feature 3. I haven't had a chance yet to run audit2allow for DPDK OVS to understand all its requirements. I thought to do this once the packaging work is done. However, I am ok to reconsider this if you think we should add as much as possible white list rules in the initial patch.
Ansis Atteka <ansisatteka@gmail.com> writes: > On 16 February 2016 at 07:33, Aaron Conole <aconole@redhat.com> wrote: > > > Thanks for this work, Ansis! > > Ansis Atteka <ansisatteka@gmail.com> writes: > > > From: Ansis Atteka <aatteka@nicira.com> > > > > CentOS, RHEL and Fedora distributions ship with their own Open vSwitch > > SELinux policy that is too strict and prevents Open vSwitch to work > > normally out of the box. > > > > As a solution, this patch introduces a new package which will "loosen" > > up "openvswitch_t" SELinux domain so that Open vSwitch could operate > > normally. > > > > Intended use-cases of this package are: > > 1. to allow users to install newer Open vSwitch on already released Fedora, > > RHEL and CentOS distributions where the default Open vSwitch SELinux policy > > that shipped with the corresponding Linux distribution is not up to date > > and did not anticipate that a newer Open vSwitch version might need to > > invoke new system calls or need to access certain system resources that > > it did not before; And > > 2. to provide alternative means through which Open vSwitch developers > > can proactively fix SELinux related policy issues without waiting for > > corresponding Linux distribution maintainers to update their central > > Open vSwitch SELinux policy. > > > > This patch was tested on Fedora 23 and CentOS 7. I verified that now > > on Fedora 23 Open vSwitch can create a NetLink socket; and that I did > > not see following error messages: > > > > vlog|INFO|opened log file /var/log/openvswitch/ovs-vswitchd.log > > ovs_numa|INFO|Discovered 2 CPU cores on NUMA node 0 > > ovs_numa|INFO|Discovered 1 NUMA nodes and 2 CPU cores > > reconnect|INFO|unix:/var/run/openvswitch/db.sock: connecting... > > reconnect|INFO|unix:/var/run/openvswitch/db.sock: connected > > netlink_socket|ERR|fcntl: Permission denied > > dpif_netlink|ERR|Generic Netlink family 'ovs_datapath' does not exist. > > The Open vSwitch kernel module is p robably not loaded. > > dpif|WARN|failed to enumerate system datapaths: Permission denied > > dpif|WARN|failed to create datapath ovs-system: Permission denied > > > > I did not test all Open vSwitch features so there still could be some > > OVS configuration that would get "Permission denied" errors. > > > > Since, Open vSwitch daemons on Ubuntu 15.10 by default run under "unconfined" > > SELinux domain, then there is no need to create a similar debian package > > for Ubuntu, because it works on default Ubuntu installation. > > > > Signed-Off-By: Ansis Atteka <aatteka@nicira.com> > > --- > > INSTALL.SELinux.md | 166 > ++++++++++++++++++++++++++++++++++++++++ > > Makefile.am | 2 + > > README.md | 2 + > > rhel/openvswitch-fedora.spec.in | 27 +++++++ > > selinux/automake.mk | 9 +++ > > selinux/openvswitch-custom.te | 9 +++ > > 6 files changed, 215 insertions(+) > > create mode 100644 INSTALL.SELinux.md > > create mode 100644 selinux/automake.mk > > create mode 100644 selinux/openvswitch-custom.te > > > > diff --git a/INSTALL.SELinux.md b/INSTALL.SELinux.md > > new file mode 100644 > > index 0000000..dc93d6d > > --- /dev/null > > +++ b/INSTALL.SELinux.md > > @@ -0,0 +1,166 @@ > > +Running Open vSwitch under SELinux > > +================================== > > + > > +Security-Enhanced Linux (SELinux) is a Linux kernel security > > +module that limits "the malicious things" that certain processes, > > +including OVS, can do to the system in case they get compromised. > > +In our case SELinux basically serves as the "second line of defense" > > +that limits the things that OVS processes are allowed to do. The > > +"first line of defense" is proper input validation that eliminates > > +code paths that could be used by attacker to do any sort of > > +"escape attacks" (e.g. file name escape, shell escape, command > > +line argument escape, buffer escape). Since developers don't > > +always implement proper input validation, then SELinux Access > > +Control's goal is to confine damage of such attacks, if they > > +turned out to be possible. > > + > > +Besides Type Enforcement there are other SELinux > > +features, but they are out of scope for this document. > > + > > +Currently there are two SELinux policies for Open vSwitch: > > +1. the one that ships with your Linux distribution (i.e. > > + selinux-policy-targeted package); And > > +2. the one that ships with OVS (i.e. openvswitch-selinux-policy > > + package). > > + > > + > > +Limitations > > +----------- > > + > > +If Open vSwitch is directly started from command line, then it > > +will run under "unconfined_t" SELinux domain that basically lets > > +daemon to do whatever it likes. This is very important for developers > > +to understand, because they might introduced code in OVS that invokes > > +new system calls that SELinux policy did not anticipate. This means > > +that their feature may have worked out just fine for them. However, > > +if someone else would try to run the same code when Open vSwitch is > > +started through systemctl, then Open vSwitch would get Permission Denied > > +errors. > > + > > +Currently the only distributions that enforce SELinux on OVS by > > +default are RHEL, CentOS and Fedora. While Ubuntu and Debian also > > +have some SELinux support, they run Open vSwitch under the unrestricted > > +"unconfined" domain. Also, it seems that Ubuntu is leaning towards > > +Apparmor that works slightly differently than SELinux. > > + > > +SELinux and Open vSwitch are moving targets. What this means > > +is that, if you solely rely on your Linux distribution's SELinux policy, > > +then this policy might not have correctly anticipated that a newer > > +Open vSwitch version needs extra white list rules. However, if you > > +solely rely on SELinux policy that ships with Open vSwitch, then > > +Open vSwitch developers might not have correctly anticipated the > > +feature set that your SELinux implementation supports. > > + > > + > > +Installation > > +------------ > > + > > +Refer to [INSTALL.Fedora.md] for instructions on how to build all > > +Open vSwitch rpm packages. > > + > > +Once the package is built, install it on your Linux distribution with: > > + > > + # yum install openvswitch-selinux-policy-2.4.1-1.el7.centos.noarch.rpm > > + > > +And, then restart Open vSwitch: > > + > > + # systemctl restart openvswitch > > + > > + > > +Troubleshooting > > +--------------- > > + > > +When SELinux was implemented some of the standard system utilities > > +acquired "-Z" flag (e.g. "ps -Z", "ls -Z"). For example, to find out > > +under which SELinux security domain process runs, use: > > + > > + # ps -AZ | grep ovs-vswitchd > > + system_u:system_r:openvswitch_t:s0 854 ? ovs-vswitchd > > + > > +To find out the SELinux label of file or directory, use: > > + > > + # ls -Z /etc/openvswitch/conf.db > > + system_u:object_r:openvswitch_rw_t:s0 /etc/openvswitch/conf.db > > + > > + > > +If, for example, SELinux policy for Open vSwitch is too strict, > > +then you might see in Open vSwitch log files "Permission Denied" > > +errors: > > + > > + # cat /var/log/openvswitch/ovs-vswitchd.log > > + vlog|INFO|opened log file /var/log/openvswitch/ovs-vswitchd.log > > + ovs_numa|INFO|Discovered 2 CPU cores on NUMA node 0 > > + ovs_numa|INFO|Discovered 1 NUMA nodes and 2 CPU cores > > + reconnect|INFO|unix:/var/run/openvswitch/db.sock: connecting... > > + reconnect|INFO|unix:/var/run/openvswitch/db.sock: connected > > + netlink_socket|ERR|fcntl: Permission denied > > + dpif_netlink|ERR|Generic Netlink family 'ovs_datapath' does not exist. > > + The Open vSwitch kernel module is probably not loaded. > > + dpif|WARN|failed to enumerate system datapaths: Permission denied > > + dpif|WARN|failed to create datapath ovs-system: Permission denied > > + > > + > > + > > +However, not all "Permission denied" errors are caused by SELinux. So, > > +before blaming too strict SELinux policy, make sure that indeed SELinux > > +was the one that denied OVS access to certain resources, for example, run: > > + > > + # grep "openvswitch_t" /var/log/audit/audit.log | tail > > + type=AVC msg=audit(1453235431.640:114671): avc: denied { getopt } for pid=4583 > comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 > tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=0 > > + > > + > > +If SELinux denied OVS access to certain resources, then make sure that you > > +have installed our SELinux policy package that "loosens" up distribution's > > +SELinux policy: > > + > > + # rpm -qa | grep openvswitch-selinux > > + openvswitch-selinux-policy-2.4.1-1.el7.centos.noarch > > + > > +And, then verify that this module was indeed loaded: > > + > > + # semodule -l | grep openvswitch > > + openvswitch-custom 1.0 > > + openvswitch 1.1.1 > > + > > +If you still see Permission denied errors, then take a look > > +into selinux/openvswitch.te file in the OVS source tree and > > +try to add white list rules. This is really simple, just run > > +SELinux audit2allow tool: > > + > > + # grep "openvswitch_t" /var/log/audit/audit.log | audit2allow -M ovslocal > > Should this also state to report the issue as a bug to > dev@openvswitch.org? Maybe it's out of scope? I don't know. This is good > information definitely. > > > Yes, I think we should be more explicit that contributions to SELinux policy are welcome. How > about: > > See "Contributing SELinux policy patches" section, if you think that other > Open vSwitch users would benefit from this change. LGTM > > +Contributing SELinux policy patches > > +----------------------------------- > > + > > +Here are few things to consider before proposing SELinux policy > > +patches to Open vSwitch developer mailing list: > > + > > +1. The SELinux policy that resides in Open vSwitch source tree > > + amends SELinux policy that ships with your distributions. > > + > > + Implications of this are that it is assumed that the distribution's > > + Open vSwitch SELinux module must be already loaded to satisfy > > + dependencies. > > + > > +2. The SELinux policy that resides in Open vSwitch source tree > > + must work on all currently relevant Linux distributions. > > + > > + Implications of this are that you should use only those SELinux > > + policy features that are supported by the lowest SELinux version > > + out there. > > Maybe there should just be an explicit version to use, which can be > bumped. Otherwise it's very difficult to figure out which version can be > used. > > > I did not want to put specific SELinux version in this file because that would imply that someone has > to make sure it does not get out dated. So, how about replacing the last paragraph with: > > Implications of this are that you should use only those SELinux > policy features that are supported by the lowest relevant SELinux version > out there. Typically this means that you should test your SELinux policy changes > on the oldest RHEL or CentOS version that this OVS version supports. Check > INSTALL.Fedora.md file to find out this. That makes sense, or even just say read the INSTALL which is appropriate to your operating system? Either way, just want to be clear so that users don't get a wrong impression. > > +3. The SELinux policy is enforced only when state transition to > > + openvswitch_t domain happens. > > + > > + Implications of this are that perhaps instead of loosening SELinux > > + policy you can do certain things at the time rpm package is installed. > > + > > + > > + > > +Reporting Bugs > > +-------------- > > + > > +Please report problems to bugs@openvswitch.org. > > + > > +[INSTALL.md]:INSTALL.md > > diff --git a/Makefile.am b/Makefile.am > > index 75ccadf..a71a4d6 100644 > > --- a/Makefile.am > > +++ b/Makefile.am > > @@ -79,6 +79,7 @@ docs = \ > > INSTALL.Libvirt.md \ > > INSTALL.NetBSD.md \ > > INSTALL.RHEL.md \ > > + INSTALL.SELinux.md \ > > INSTALL.SSL.md \ > > INSTALL.XenServer.md \ > > INSTALL.userspace.md \ > > @@ -431,3 +432,4 @@ include datapath-windows/automake.mk > > include datapath-windows/include/automake.mk > > include windows/automake.mk > > include ovn/automake.mk > > +include selinux/automake.mk > > diff --git a/README.md b/README.md > > index b590928..82065c7 100644 > > --- a/README.md > > +++ b/README.md > > @@ -97,6 +97,8 @@ To use Open vSwitch... > > > > - ...without using a kernel module, read [INSTALL.userspace.md]. > > > > +- ...with SELinux, read [INSTALL.SELinux.md]. > > + > > For answers to common questions, read [FAQ.md]. > > > > To learn how to set up SSL support for Open vSwitch, read [INSTALL.SSL.md]. > > diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in > > index 00e491b..c018370 100644 > > --- a/rhel/openvswitch-fedora.spec.in > > +++ b/rhel/openvswitch-fedora.spec.in > > @@ -46,6 +46,7 @@ BuildRequires: systemd-units openssl openssl-devel > > BuildRequires: python python-twisted-core python-zope-interface PyQt4 python-six > > BuildRequires: desktop-file-utils > > BuildRequires: groff graphviz > > +BuildRequires: checkpolicy, selinux-policy-devel > > # make check dependencies > > BuildRequires: procps-ng > > %if %{with libcapng} > > @@ -72,6 +73,15 @@ Open vSwitch provides standard network bridging functions and > > support for the OpenFlow protocol for remote per-flow control of > > traffic. > > > > +%package selinux-policy > > +Summary: Open vSwitch SELinux policy > > +License: ASL 2.0 > > +BuildArch: noarch > > +Requires: selinux-policy-targeted > > + > > +%description selinux-policy > > +Tailored Open vSwitch SELinux policy > > + > > %package -n python-openvswitch > > Summary: Open vSwitch python bindings > > License: ASL 2.0 > > @@ -131,6 +141,8 @@ overlays and security groups. > > --with-pkidir=%{_sharedstatedir}/openvswitch/pki > > > > make %{?_smp_mflags} > > +cd selinux > > +make -f %{_datadir}/selinux/devel/Makefile > > > > %install > > rm -rf $RPM_BUILD_ROOT > > @@ -172,6 +184,9 @@ install -d -m 0755 $RPM_BUILD_ROOT/% > {_sharedstatedir}/openvswitch > > touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/conf.db > > touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/system-id.conf > > > > +install -p -m 644 -D selinux/openvswitch-custom.pp \ > > + $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp > > + > > # remove unpackaged files > > rm -f $RPM_BUILD_ROOT%{_bindir}/ovs-parse-backtrace \ > > $RPM_BUILD_ROOT%{_bindir}/ovs-pcap \ > > @@ -245,6 +260,9 @@ rm -rf $RPM_BUILD_ROOT > > fi > > %endif > > > > +%post selinux-policy > > +/usr/sbin/semodule -i %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> > /dev/null || : > > + > > %postun > > %if 0%{?systemd_postun_with_restart:1} > > %systemd_postun_with_restart %{name}.service > > @@ -271,6 +289,15 @@ rm -rf $RPM_BUILD_ROOT > > fi > > %endif > > > > +%postun selinux-policy > > +if [ $1 -eq 0 ] ; then > > + /usr/sbin/semodule -r openvswitch-custom &> /dev/null || : > > +fi > > + > > +%files selinux-policy > > +%defattr(-,root,root) > > +%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp > > + > > %files -n python-openvswitch > > %{python_sitelib}/ovs > > %doc COPYING > > diff --git a/selinux/automake.mk b/selinux/automake.mk > > new file mode 100644 > > index 0000000..1088f36 > > --- /dev/null > > +++ b/selinux/automake.mk > > @@ -0,0 +1,9 @@ > > +# Copyright (C) 2016 Nicira, Inc. > > +# > > +# Copying and distribution of this file, with or without modification, > > +# are permitted in any medium without royalty provided the copyright > > +# notice and this notice are preserved. This file is offered as-is, > > +# without warranty of any kind. > > + > > +EXTRA_DIST += \ > > + selinux/openvswitch-custom.te > > diff --git a/selinux/openvswitch-custom.te b/selinux/openvswitch-custom.te > > new file mode 100644 > > index 0000000..fc32b97 > > --- /dev/null > > +++ b/selinux/openvswitch-custom.te > > @@ -0,0 +1,9 @@ > > +module openvswitch-custom 1.0; > > + > > +require { > > + type openvswitch_t; > > + class netlink_socket { setopt getopt create connect getattr write read }; > > +} > > + > > +#============= openvswitch_t ============== > > +allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read > }; > > Should any of the dpdk requirements go in at this time, or should that > be considered future work (ie: hugepage access, etc.)? I know that dpdk > will become non-experimental in the future, and before that happens this > should be known. > > > I imagined that we should add all DPDK (and other) related white list rules in separate patches. Here > is my not so significant reasoning behind this: > 1. If we keep this initial patch simple it may be simpler to backport it to older OVS branches without > having to cut out DPDK part that may not apply to older OVS versions. > 2. git-blame could be used to find out origin of each SELinux line, if patches are introduced > separately for each feature > 3. I haven't had a chance yet to run audit2allow for DPDK OVS to understand all its requirements. I > thought to do this once the packaging work is done. > > However, I am ok to reconsider this if you think we should add as much as possible white list rules in > the initial patch. Nope, what you've written makes sense. Given there's not much testing and usage of the DPDK ovs at the moment (at least compared to non-DPDK ovs), that should be deferred. I also like the idea to use the blame to find out how each selinux policy came to be, so okay :) -Aaron
On Mon, 15 Feb 2016 17:40:25 -0800 Ansis Atteka <ansisatteka@gmail.com> wrote: > From: Ansis Atteka <aatteka@nicira.com> > > CentOS, RHEL and Fedora distributions ship with their own Open vSwitch > SELinux policy that is too strict and prevents Open vSwitch to work > normally out of the box. > > As a solution, this patch introduces a new package which will "loosen" > up "openvswitch_t" SELinux domain so that Open vSwitch could operate > normally. > > Intended use-cases of this package are: > 1. to allow users to install newer Open vSwitch on already released Fedora, > RHEL and CentOS distributions where the default Open vSwitch SELinux policy > that shipped with the corresponding Linux distribution is not up to date > and did not anticipate that a newer Open vSwitch version might need to > invoke new system calls or need to access certain system resources that > it did not before; And > 2. to provide alternative means through which Open vSwitch developers > can proactively fix SELinux related policy issues without waiting for > corresponding Linux distribution maintainers to update their central > Open vSwitch SELinux policy. > > This patch was tested on Fedora 23 and CentOS 7. I verified that now > on Fedora 23 Open vSwitch can create a NetLink socket; and that I did > not see following error messages: > > vlog|INFO|opened log file /var/log/openvswitch/ovs-vswitchd.log > ovs_numa|INFO|Discovered 2 CPU cores on NUMA node 0 > ovs_numa|INFO|Discovered 1 NUMA nodes and 2 CPU cores > reconnect|INFO|unix:/var/run/openvswitch/db.sock: connecting... > reconnect|INFO|unix:/var/run/openvswitch/db.sock: connected > netlink_socket|ERR|fcntl: Permission denied > dpif_netlink|ERR|Generic Netlink family 'ovs_datapath' does not exist. > The Open vSwitch kernel module is p robably not loaded. > dpif|WARN|failed to enumerate system datapaths: Permission denied > dpif|WARN|failed to create datapath ovs-system: Permission denied > > I did not test all Open vSwitch features so there still could be some > OVS configuration that would get "Permission denied" errors. > > Since, Open vSwitch daemons on Ubuntu 15.10 by default run under "unconfined" > SELinux domain, then there is no need to create a similar debian package > for Ubuntu, because it works on default Ubuntu installation. > > Signed-Off-By: Ansis Atteka <aatteka@nicira.com> > --- > INSTALL.SELinux.md | 166 ++++++++++++++++++++++++++++++++++++++++ > Makefile.am | 2 + > README.md | 2 + > rhel/openvswitch-fedora.spec.in | 27 +++++++ > selinux/automake.mk | 9 +++ > selinux/openvswitch-custom.te | 9 +++ > 6 files changed, 215 insertions(+) > create mode 100644 INSTALL.SELinux.md > create mode 100644 selinux/automake.mk > create mode 100644 selinux/openvswitch-custom.te > > diff --git a/INSTALL.SELinux.md b/INSTALL.SELinux.md > new file mode 100644 > index 0000000..dc93d6d > --- /dev/null > +++ b/INSTALL.SELinux.md > @@ -0,0 +1,166 @@ > +Running Open vSwitch under SELinux > +================================== > + > +Security-Enhanced Linux (SELinux) is a Linux kernel security > +module that limits "the malicious things" that certain processes, > +including OVS, can do to the system in case they get compromised. > +In our case SELinux basically serves as the "second line of defense" > +that limits the things that OVS processes are allowed to do. The > +"first line of defense" is proper input validation that eliminates > +code paths that could be used by attacker to do any sort of > +"escape attacks" (e.g. file name escape, shell escape, command > +line argument escape, buffer escape). Since developers don't > +always implement proper input validation, then SELinux Access > +Control's goal is to confine damage of such attacks, if they > +turned out to be possible. > + > +Besides Type Enforcement there are other SELinux > +features, but they are out of scope for this document. > + > +Currently there are two SELinux policies for Open vSwitch: > +1. the one that ships with your Linux distribution (i.e. > + selinux-policy-targeted package); And > +2. the one that ships with OVS (i.e. openvswitch-selinux-policy > + package). > + > + > +Limitations > +----------- > + > +If Open vSwitch is directly started from command line, then it > +will run under "unconfined_t" SELinux domain that basically lets > +daemon to do whatever it likes. This is very important for developers > +to understand, because they might introduced code in OVS that invokes > +new system calls that SELinux policy did not anticipate. This means > +that their feature may have worked out just fine for them. However, > +if someone else would try to run the same code when Open vSwitch is > +started through systemctl, then Open vSwitch would get Permission Denied > +errors. > + > +Currently the only distributions that enforce SELinux on OVS by > +default are RHEL, CentOS and Fedora. While Ubuntu and Debian also > +have some SELinux support, they run Open vSwitch under the unrestricted > +"unconfined" domain. Also, it seems that Ubuntu is leaning towards > +Apparmor that works slightly differently than SELinux. > + > +SELinux and Open vSwitch are moving targets. What this means > +is that, if you solely rely on your Linux distribution's SELinux policy, > +then this policy might not have correctly anticipated that a newer > +Open vSwitch version needs extra white list rules. However, if you > +solely rely on SELinux policy that ships with Open vSwitch, then > +Open vSwitch developers might not have correctly anticipated the > +feature set that your SELinux implementation supports. > + > + > +Installation > +------------ > + > +Refer to [INSTALL.Fedora.md] for instructions on how to build all > +Open vSwitch rpm packages. > + > +Once the package is built, install it on your Linux distribution with: > + > + # yum install openvswitch-selinux-policy-2.4.1-1.el7.centos.noarch.rpm > + > +And, then restart Open vSwitch: > + > + # systemctl restart openvswitch > + > + > +Troubleshooting > +--------------- > + > +When SELinux was implemented some of the standard system utilities > +acquired "-Z" flag (e.g. "ps -Z", "ls -Z"). For example, to find out > +under which SELinux security domain process runs, use: > + > + # ps -AZ | grep ovs-vswitchd > + system_u:system_r:openvswitch_t:s0 854 ? ovs-vswitchd > + > +To find out the SELinux label of file or directory, use: > + > + # ls -Z /etc/openvswitch/conf.db > + system_u:object_r:openvswitch_rw_t:s0 /etc/openvswitch/conf.db > + > + > +If, for example, SELinux policy for Open vSwitch is too strict, > +then you might see in Open vSwitch log files "Permission Denied" > +errors: > + > + # cat /var/log/openvswitch/ovs-vswitchd.log > + vlog|INFO|opened log file /var/log/openvswitch/ovs-vswitchd.log > + ovs_numa|INFO|Discovered 2 CPU cores on NUMA node 0 > + ovs_numa|INFO|Discovered 1 NUMA nodes and 2 CPU cores > + reconnect|INFO|unix:/var/run/openvswitch/db.sock: connecting... > + reconnect|INFO|unix:/var/run/openvswitch/db.sock: connected > + netlink_socket|ERR|fcntl: Permission denied > + dpif_netlink|ERR|Generic Netlink family 'ovs_datapath' does not exist. > + The Open vSwitch kernel module is probably not loaded. > + dpif|WARN|failed to enumerate system datapaths: Permission denied > + dpif|WARN|failed to create datapath ovs-system: Permission denied > + > + > + > +However, not all "Permission denied" errors are caused by SELinux. So, > +before blaming too strict SELinux policy, make sure that indeed SELinux > +was the one that denied OVS access to certain resources, for example, run: > + > + # grep "openvswitch_t" /var/log/audit/audit.log | tail > + type=AVC msg=audit(1453235431.640:114671): avc: denied { getopt } for pid=4583 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=0 > + > + > +If SELinux denied OVS access to certain resources, then make sure that you > +have installed our SELinux policy package that "loosens" up distribution's > +SELinux policy: > + > + # rpm -qa | grep openvswitch-selinux > + openvswitch-selinux-policy-2.4.1-1.el7.centos.noarch > + > +And, then verify that this module was indeed loaded: > + > + # semodule -l | grep openvswitch > + openvswitch-custom 1.0 > + openvswitch 1.1.1 > + > +If you still see Permission denied errors, then take a look > +into selinux/openvswitch.te file in the OVS source tree and > +try to add white list rules. This is really simple, just run > +SELinux audit2allow tool: > + > + # grep "openvswitch_t" /var/log/audit/audit.log | audit2allow -M ovslocal > + > + > +Contributing SELinux policy patches > +----------------------------------- > + > +Here are few things to consider before proposing SELinux policy > +patches to Open vSwitch developer mailing list: > + > +1. The SELinux policy that resides in Open vSwitch source tree > + amends SELinux policy that ships with your distributions. > + > + Implications of this are that it is assumed that the distribution's > + Open vSwitch SELinux module must be already loaded to satisfy > + dependencies. > + > +2. The SELinux policy that resides in Open vSwitch source tree > + must work on all currently relevant Linux distributions. > + > + Implications of this are that you should use only those SELinux > + policy features that are supported by the lowest SELinux version > + out there. > + > +3. The SELinux policy is enforced only when state transition to > + openvswitch_t domain happens. > + > + Implications of this are that perhaps instead of loosening SELinux > + policy you can do certain things at the time rpm package is installed. > + > + > + > +Reporting Bugs > +-------------- > + > +Please report problems to bugs@openvswitch.org. > + > +[INSTALL.md]:INSTALL.md > diff --git a/Makefile.am b/Makefile.am > index 75ccadf..a71a4d6 100644 > --- a/Makefile.am > +++ b/Makefile.am > @@ -79,6 +79,7 @@ docs = \ > INSTALL.Libvirt.md \ > INSTALL.NetBSD.md \ > INSTALL.RHEL.md \ > + INSTALL.SELinux.md \ Makefile uses TABs. > INSTALL.SSL.md \ > INSTALL.XenServer.md \ > INSTALL.userspace.md \ > @@ -431,3 +432,4 @@ include datapath-windows/automake.mk > include datapath-windows/include/automake.mk > include windows/automake.mk > include ovn/automake.mk > +include selinux/automake.mk > diff --git a/README.md b/README.md > index b590928..82065c7 100644 > --- a/README.md > +++ b/README.md > @@ -97,6 +97,8 @@ To use Open vSwitch... > > - ...without using a kernel module, read [INSTALL.userspace.md]. > > +- ...with SELinux, read [INSTALL.SELinux.md]. > + > For answers to common questions, read [FAQ.md]. > > To learn how to set up SSL support for Open vSwitch, read [INSTALL.SSL.md]. > diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in > index 00e491b..c018370 100644 > --- a/rhel/openvswitch-fedora.spec.in > +++ b/rhel/openvswitch-fedora.spec.in > @@ -46,6 +46,7 @@ BuildRequires: systemd-units openssl openssl-devel > BuildRequires: python python-twisted-core python-zope-interface PyQt4 python-six > BuildRequires: desktop-file-utils > BuildRequires: groff graphviz > +BuildRequires: checkpolicy, selinux-policy-devel > # make check dependencies > BuildRequires: procps-ng > %if %{with libcapng} > @@ -72,6 +73,15 @@ Open vSwitch provides standard network bridging functions and > support for the OpenFlow protocol for remote per-flow control of > traffic. > > +%package selinux-policy > +Summary: Open vSwitch SELinux policy > +License: ASL 2.0 > +BuildArch: noarch > +Requires: selinux-policy-targeted > + > +%description selinux-policy > +Tailored Open vSwitch SELinux policy > + > %package -n python-openvswitch > Summary: Open vSwitch python bindings > License: ASL 2.0 > @@ -131,6 +141,8 @@ overlays and security groups. > --with-pkidir=%{_sharedstatedir}/openvswitch/pki > > make %{?_smp_mflags} > +cd selinux > +make -f %{_datadir}/selinux/devel/Makefile > > %install > rm -rf $RPM_BUILD_ROOT > @@ -172,6 +184,9 @@ install -d -m 0755 $RPM_BUILD_ROOT/%{_sharedstatedir}/openvswitch > touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/conf.db > touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/system-id.conf > > +install -p -m 644 -D selinux/openvswitch-custom.pp \ > + $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp > + > # remove unpackaged files > rm -f $RPM_BUILD_ROOT%{_bindir}/ovs-parse-backtrace \ > $RPM_BUILD_ROOT%{_bindir}/ovs-pcap \ > @@ -245,6 +260,9 @@ rm -rf $RPM_BUILD_ROOT > fi > %endif > > +%post selinux-policy > +/usr/sbin/semodule -i %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || : > + > %postun > %if 0%{?systemd_postun_with_restart:1} > %systemd_postun_with_restart %{name}.service > @@ -271,6 +289,15 @@ rm -rf $RPM_BUILD_ROOT > fi > %endif > > +%postun selinux-policy > +if [ $1 -eq 0 ] ; then > + /usr/sbin/semodule -r openvswitch-custom &> /dev/null || : > +fi > + > +%files selinux-policy > +%defattr(-,root,root) > +%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp > + > %files -n python-openvswitch > %{python_sitelib}/ovs > %doc COPYING > diff --git a/selinux/automake.mk b/selinux/automake.mk > new file mode 100644 > index 0000000..1088f36 > --- /dev/null > +++ b/selinux/automake.mk > @@ -0,0 +1,9 @@ > +# Copyright (C) 2016 Nicira, Inc. > +# > +# Copying and distribution of this file, with or without modification, > +# are permitted in any medium without royalty provided the copyright > +# notice and this notice are preserved. This file is offered as-is, > +# without warranty of any kind. > + > +EXTRA_DIST += \ > + selinux/openvswitch-custom.te > diff --git a/selinux/openvswitch-custom.te b/selinux/openvswitch-custom.te > new file mode 100644 > index 0000000..fc32b97 > --- /dev/null > +++ b/selinux/openvswitch-custom.te > @@ -0,0 +1,9 @@ > +module openvswitch-custom 1.0; > + > +require { > + type openvswitch_t; > + class netlink_socket { setopt getopt create connect getattr write read }; > +} > + > +#============= openvswitch_t ============== > +allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read }; There is a macro in Fedora 23 called create_socket_perms which expands to: { create ioctl read getattr lock write setattr append bind connect \ getopt setopt shutdown } and Fedora is shipping the following line instead: allow openvswitch_t self:netlink_socket create_socket_perms; What I am saying is that your version is more restrictive and if you haven't tested all use-cases, there might be some still restricted. I am fine either way. Therefore, after fixing the Makefile issue: Acked-by: Flavio Leitner <fbl@sysclose.org> Thanks!
On 22 February 2016 at 20:18, Flavio Leitner <fbl@sysclose.org> wrote: > On Mon, 15 Feb 2016 17:40:25 -0800 > Ansis Atteka <ansisatteka@gmail.com> wrote: > > > From: Ansis Atteka <aatteka@nicira.com> > > > > CentOS, RHEL and Fedora distributions ship with their own Open vSwitch > > SELinux policy that is too strict and prevents Open vSwitch to work > > normally out of the box. > > > > As a solution, this patch introduces a new package which will "loosen" > > up "openvswitch_t" SELinux domain so that Open vSwitch could operate > > normally. > > > > Intended use-cases of this package are: > > 1. to allow users to install newer Open vSwitch on already released > Fedora, > > RHEL and CentOS distributions where the default Open vSwitch SELinux > policy > > that shipped with the corresponding Linux distribution is not up to date > > and did not anticipate that a newer Open vSwitch version might need to > > invoke new system calls or need to access certain system resources that > > it did not before; And > > 2. to provide alternative means through which Open vSwitch developers > > can proactively fix SELinux related policy issues without waiting for > > corresponding Linux distribution maintainers to update their central > > Open vSwitch SELinux policy. > > > > This patch was tested on Fedora 23 and CentOS 7. I verified that now > > on Fedora 23 Open vSwitch can create a NetLink socket; and that I did > > not see following error messages: > > > > vlog|INFO|opened log file /var/log/openvswitch/ovs-vswitchd.log > > ovs_numa|INFO|Discovered 2 CPU cores on NUMA node 0 > > ovs_numa|INFO|Discovered 1 NUMA nodes and 2 CPU cores > > reconnect|INFO|unix:/var/run/openvswitch/db.sock: connecting... > > reconnect|INFO|unix:/var/run/openvswitch/db.sock: connected > > netlink_socket|ERR|fcntl: Permission denied > > dpif_netlink|ERR|Generic Netlink family 'ovs_datapath' does not exist. > > The Open vSwitch kernel module is p robably not loaded. > > dpif|WARN|failed to enumerate system datapaths: Permission denied > > dpif|WARN|failed to create datapath ovs-system: Permission denied > > > > I did not test all Open vSwitch features so there still could be some > > OVS configuration that would get "Permission denied" errors. > > > > Since, Open vSwitch daemons on Ubuntu 15.10 by default run under > "unconfined" > > SELinux domain, then there is no need to create a similar debian package > > for Ubuntu, because it works on default Ubuntu installation. > > > > Signed-Off-By: Ansis Atteka <aatteka@nicira.com> > > --- > > INSTALL.SELinux.md | 166 > ++++++++++++++++++++++++++++++++++++++++ > > Makefile.am | 2 + > > README.md | 2 + > > rhel/openvswitch-fedora.spec.in | 27 +++++++ > > selinux/automake.mk | 9 +++ > > selinux/openvswitch-custom.te | 9 +++ > > 6 files changed, 215 insertions(+) > > create mode 100644 INSTALL.SELinux.md > > create mode 100644 selinux/automake.mk > > create mode 100644 selinux/openvswitch-custom.te > > > > diff --git a/INSTALL.SELinux.md b/INSTALL.SELinux.md > > new file mode 100644 > > index 0000000..dc93d6d > > --- /dev/null > > +++ b/INSTALL.SELinux.md > > @@ -0,0 +1,166 @@ > > +Running Open vSwitch under SELinux > > +================================== > > + > > +Security-Enhanced Linux (SELinux) is a Linux kernel security > > +module that limits "the malicious things" that certain processes, > > +including OVS, can do to the system in case they get compromised. > > +In our case SELinux basically serves as the "second line of defense" > > +that limits the things that OVS processes are allowed to do. The > > +"first line of defense" is proper input validation that eliminates > > +code paths that could be used by attacker to do any sort of > > +"escape attacks" (e.g. file name escape, shell escape, command > > +line argument escape, buffer escape). Since developers don't > > +always implement proper input validation, then SELinux Access > > +Control's goal is to confine damage of such attacks, if they > > +turned out to be possible. > > + > > +Besides Type Enforcement there are other SELinux > > +features, but they are out of scope for this document. > > + > > +Currently there are two SELinux policies for Open vSwitch: > > +1. the one that ships with your Linux distribution (i.e. > > + selinux-policy-targeted package); And > > +2. the one that ships with OVS (i.e. openvswitch-selinux-policy > > + package). > > + > > + > > +Limitations > > +----------- > > + > > +If Open vSwitch is directly started from command line, then it > > +will run under "unconfined_t" SELinux domain that basically lets > > +daemon to do whatever it likes. This is very important for developers > > +to understand, because they might introduced code in OVS that invokes > > +new system calls that SELinux policy did not anticipate. This means > > +that their feature may have worked out just fine for them. However, > > +if someone else would try to run the same code when Open vSwitch is > > +started through systemctl, then Open vSwitch would get Permission Denied > > +errors. > > + > > +Currently the only distributions that enforce SELinux on OVS by > > +default are RHEL, CentOS and Fedora. While Ubuntu and Debian also > > +have some SELinux support, they run Open vSwitch under the unrestricted > > +"unconfined" domain. Also, it seems that Ubuntu is leaning towards > > +Apparmor that works slightly differently than SELinux. > > + > > +SELinux and Open vSwitch are moving targets. What this means > > +is that, if you solely rely on your Linux distribution's SELinux policy, > > +then this policy might not have correctly anticipated that a newer > > +Open vSwitch version needs extra white list rules. However, if you > > +solely rely on SELinux policy that ships with Open vSwitch, then > > +Open vSwitch developers might not have correctly anticipated the > > +feature set that your SELinux implementation supports. > > + > > + > > +Installation > > +------------ > > + > > +Refer to [INSTALL.Fedora.md] for instructions on how to build all > > +Open vSwitch rpm packages. > > + > > +Once the package is built, install it on your Linux distribution with: > > + > > + # yum install > openvswitch-selinux-policy-2.4.1-1.el7.centos.noarch.rpm > > + > > +And, then restart Open vSwitch: > > + > > + # systemctl restart openvswitch > > + > > + > > +Troubleshooting > > +--------------- > > + > > +When SELinux was implemented some of the standard system utilities > > +acquired "-Z" flag (e.g. "ps -Z", "ls -Z"). For example, to find out > > +under which SELinux security domain process runs, use: > > + > > + # ps -AZ | grep ovs-vswitchd > > + system_u:system_r:openvswitch_t:s0 854 ? ovs-vswitchd > > + > > +To find out the SELinux label of file or directory, use: > > + > > + # ls -Z /etc/openvswitch/conf.db > > + system_u:object_r:openvswitch_rw_t:s0 /etc/openvswitch/conf.db > > + > > + > > +If, for example, SELinux policy for Open vSwitch is too strict, > > +then you might see in Open vSwitch log files "Permission Denied" > > +errors: > > + > > + # cat /var/log/openvswitch/ovs-vswitchd.log > > + vlog|INFO|opened log file /var/log/openvswitch/ovs-vswitchd.log > > + ovs_numa|INFO|Discovered 2 CPU cores on NUMA node 0 > > + ovs_numa|INFO|Discovered 1 NUMA nodes and 2 CPU cores > > + reconnect|INFO|unix:/var/run/openvswitch/db.sock: connecting... > > + reconnect|INFO|unix:/var/run/openvswitch/db.sock: connected > > + netlink_socket|ERR|fcntl: Permission denied > > + dpif_netlink|ERR|Generic Netlink family 'ovs_datapath' does not > exist. > > + The Open vSwitch kernel module is probably not > loaded. > > + dpif|WARN|failed to enumerate system datapaths: Permission denied > > + dpif|WARN|failed to create datapath ovs-system: Permission denied > > + > > + > > + > > +However, not all "Permission denied" errors are caused by SELinux. So, > > +before blaming too strict SELinux policy, make sure that indeed SELinux > > +was the one that denied OVS access to certain resources, for example, > run: > > + > > + # grep "openvswitch_t" /var/log/audit/audit.log | tail > > + type=AVC msg=audit(1453235431.640:114671): avc: denied { getopt } > for pid=4583 comm="ovs-vswitchd" > scontext=system_u:system_r:openvswitch_t:s0 > tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket > permissive=0 > > + > > + > > +If SELinux denied OVS access to certain resources, then make sure that > you > > +have installed our SELinux policy package that "loosens" up > distribution's > > +SELinux policy: > > + > > + # rpm -qa | grep openvswitch-selinux > > + openvswitch-selinux-policy-2.4.1-1.el7.centos.noarch > > + > > +And, then verify that this module was indeed loaded: > > + > > + # semodule -l | grep openvswitch > > + openvswitch-custom 1.0 > > + openvswitch 1.1.1 > > + > > +If you still see Permission denied errors, then take a look > > +into selinux/openvswitch.te file in the OVS source tree and > > +try to add white list rules. This is really simple, just run > > +SELinux audit2allow tool: > > + > > + # grep "openvswitch_t" /var/log/audit/audit.log | audit2allow -M > ovslocal > > + > > + > > +Contributing SELinux policy patches > > +----------------------------------- > > + > > +Here are few things to consider before proposing SELinux policy > > +patches to Open vSwitch developer mailing list: > > + > > +1. The SELinux policy that resides in Open vSwitch source tree > > + amends SELinux policy that ships with your distributions. > > + > > + Implications of this are that it is assumed that the distribution's > > + Open vSwitch SELinux module must be already loaded to satisfy > > + dependencies. > > + > > +2. The SELinux policy that resides in Open vSwitch source tree > > + must work on all currently relevant Linux distributions. > > + > > + Implications of this are that you should use only those SELinux > > + policy features that are supported by the lowest SELinux version > > + out there. > > + > > +3. The SELinux policy is enforced only when state transition to > > + openvswitch_t domain happens. > > + > > + Implications of this are that perhaps instead of loosening SELinux > > + policy you can do certain things at the time rpm package is > installed. > > + > > + > > + > > +Reporting Bugs > > +-------------- > > + > > +Please report problems to bugs@openvswitch.org. > > + > > +[INSTALL.md]:INSTALL.md > > diff --git a/Makefile.am b/Makefile.am > > index 75ccadf..a71a4d6 100644 > > --- a/Makefile.am > > +++ b/Makefile.am > > @@ -79,6 +79,7 @@ docs = \ > > INSTALL.Libvirt.md \ > > INSTALL.NetBSD.md \ > > INSTALL.RHEL.md \ > > + INSTALL.SELinux.md \ > > Makefile uses TABs. > > > > INSTALL.SSL.md \ > > INSTALL.XenServer.md \ > > INSTALL.userspace.md \ > > @@ -431,3 +432,4 @@ include datapath-windows/automake.mk > > include datapath-windows/include/automake.mk > > include windows/automake.mk > > include ovn/automake.mk > > +include selinux/automake.mk > > diff --git a/README.md b/README.md > > index b590928..82065c7 100644 > > --- a/README.md > > +++ b/README.md > > @@ -97,6 +97,8 @@ To use Open vSwitch... > > > > - ...without using a kernel module, read [INSTALL.userspace.md]. > > > > +- ...with SELinux, read [INSTALL.SELinux.md]. > > + > > For answers to common questions, read [FAQ.md]. > > > > To learn how to set up SSL support for Open vSwitch, read [ > INSTALL.SSL.md]. > > diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/ > openvswitch-fedora.spec.in > > index 00e491b..c018370 100644 > > --- a/rhel/openvswitch-fedora.spec.in > > +++ b/rhel/openvswitch-fedora.spec.in > > @@ -46,6 +46,7 @@ BuildRequires: systemd-units openssl openssl-devel > > BuildRequires: python python-twisted-core python-zope-interface PyQt4 > python-six > > BuildRequires: desktop-file-utils > > BuildRequires: groff graphviz > > +BuildRequires: checkpolicy, selinux-policy-devel > > # make check dependencies > > BuildRequires: procps-ng > > %if %{with libcapng} > > @@ -72,6 +73,15 @@ Open vSwitch provides standard network bridging > functions and > > support for the OpenFlow protocol for remote per-flow control of > > traffic. > > > > +%package selinux-policy > > +Summary: Open vSwitch SELinux policy > > +License: ASL 2.0 > > +BuildArch: noarch > > +Requires: selinux-policy-targeted > > + > > +%description selinux-policy > > +Tailored Open vSwitch SELinux policy > > + > > %package -n python-openvswitch > > Summary: Open vSwitch python bindings > > License: ASL 2.0 > > @@ -131,6 +141,8 @@ overlays and security groups. > > --with-pkidir=%{_sharedstatedir}/openvswitch/pki > > > > make %{?_smp_mflags} > > +cd selinux > > +make -f %{_datadir}/selinux/devel/Makefile > > > > %install > > rm -rf $RPM_BUILD_ROOT > > @@ -172,6 +184,9 @@ install -d -m 0755 > $RPM_BUILD_ROOT/%{_sharedstatedir}/openvswitch > > touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/conf.db > > touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/system-id.conf > > > > +install -p -m 644 -D selinux/openvswitch-custom.pp \ > > + > $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp > > + > > # remove unpackaged files > > rm -f $RPM_BUILD_ROOT%{_bindir}/ovs-parse-backtrace \ > > $RPM_BUILD_ROOT%{_bindir}/ovs-pcap \ > > @@ -245,6 +260,9 @@ rm -rf $RPM_BUILD_ROOT > > fi > > %endif > > > > +%post selinux-policy > > +/usr/sbin/semodule -i > %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || : > > + > > %postun > > %if 0%{?systemd_postun_with_restart:1} > > %systemd_postun_with_restart %{name}.service > > @@ -271,6 +289,15 @@ rm -rf $RPM_BUILD_ROOT > > fi > > %endif > > > > +%postun selinux-policy > > +if [ $1 -eq 0 ] ; then > > + /usr/sbin/semodule -r openvswitch-custom &> /dev/null || : > > +fi > > + > > +%files selinux-policy > > +%defattr(-,root,root) > > +%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp > > + > > %files -n python-openvswitch > > %{python_sitelib}/ovs > > %doc COPYING > > diff --git a/selinux/automake.mk b/selinux/automake.mk > > new file mode 100644 > > index 0000000..1088f36 > > --- /dev/null > > +++ b/selinux/automake.mk > > @@ -0,0 +1,9 @@ > > +# Copyright (C) 2016 Nicira, Inc. > > +# > > +# Copying and distribution of this file, with or without modification, > > +# are permitted in any medium without royalty provided the copyright > > +# notice and this notice are preserved. This file is offered as-is, > > +# without warranty of any kind. > > + > > +EXTRA_DIST += \ > > + selinux/openvswitch-custom.te > > diff --git a/selinux/openvswitch-custom.te > b/selinux/openvswitch-custom.te > > new file mode 100644 > > index 0000000..fc32b97 > > --- /dev/null > > +++ b/selinux/openvswitch-custom.te > > @@ -0,0 +1,9 @@ > > +module openvswitch-custom 1.0; > > + > > +require { > > + type openvswitch_t; > > + class netlink_socket { setopt getopt create connect getattr > write read }; > > +} > > + > > +#============= openvswitch_t ============== > > +allow openvswitch_t self:netlink_socket { setopt getopt create connect > getattr write read }; > > There is a macro in Fedora 23 called create_socket_perms which expands to: > { create ioctl read getattr lock write setattr append bind connect \ > getopt setopt shutdown } > > and Fedora is shipping the following line instead: > allow openvswitch_t self:netlink_socket create_socket_perms; > > What I am saying is that your version is more restrictive and if you > haven't tested all use-cases, there might be some still restricted. > > I am fine either way. > > Therefore, after fixing the Makefile issue: > > Acked-by: Flavio Leitner <fbl@sysclose.org> > Thanks, I fixed Makefile and pushed it. > > Thanks! > -- > fbl > >
diff --git a/INSTALL.SELinux.md b/INSTALL.SELinux.md new file mode 100644 index 0000000..dc93d6d --- /dev/null +++ b/INSTALL.SELinux.md @@ -0,0 +1,166 @@ +Running Open vSwitch under SELinux +================================== + +Security-Enhanced Linux (SELinux) is a Linux kernel security +module that limits "the malicious things" that certain processes, +including OVS, can do to the system in case they get compromised. +In our case SELinux basically serves as the "second line of defense" +that limits the things that OVS processes are allowed to do. The +"first line of defense" is proper input validation that eliminates +code paths that could be used by attacker to do any sort of +"escape attacks" (e.g. file name escape, shell escape, command +line argument escape, buffer escape). Since developers don't +always implement proper input validation, then SELinux Access +Control's goal is to confine damage of such attacks, if they +turned out to be possible. + +Besides Type Enforcement there are other SELinux +features, but they are out of scope for this document. + +Currently there are two SELinux policies for Open vSwitch: +1. the one that ships with your Linux distribution (i.e. + selinux-policy-targeted package); And +2. the one that ships with OVS (i.e. openvswitch-selinux-policy + package). + + +Limitations +----------- + +If Open vSwitch is directly started from command line, then it +will run under "unconfined_t" SELinux domain that basically lets +daemon to do whatever it likes. This is very important for developers +to understand, because they might introduced code in OVS that invokes +new system calls that SELinux policy did not anticipate. This means +that their feature may have worked out just fine for them. However, +if someone else would try to run the same code when Open vSwitch is +started through systemctl, then Open vSwitch would get Permission Denied +errors. + +Currently the only distributions that enforce SELinux on OVS by +default are RHEL, CentOS and Fedora. While Ubuntu and Debian also +have some SELinux support, they run Open vSwitch under the unrestricted +"unconfined" domain. Also, it seems that Ubuntu is leaning towards +Apparmor that works slightly differently than SELinux. + +SELinux and Open vSwitch are moving targets. What this means +is that, if you solely rely on your Linux distribution's SELinux policy, +then this policy might not have correctly anticipated that a newer +Open vSwitch version needs extra white list rules. However, if you +solely rely on SELinux policy that ships with Open vSwitch, then +Open vSwitch developers might not have correctly anticipated the +feature set that your SELinux implementation supports. + + +Installation +------------ + +Refer to [INSTALL.Fedora.md] for instructions on how to build all +Open vSwitch rpm packages. + +Once the package is built, install it on your Linux distribution with: + + # yum install openvswitch-selinux-policy-2.4.1-1.el7.centos.noarch.rpm + +And, then restart Open vSwitch: + + # systemctl restart openvswitch + + +Troubleshooting +--------------- + +When SELinux was implemented some of the standard system utilities +acquired "-Z" flag (e.g. "ps -Z", "ls -Z"). For example, to find out +under which SELinux security domain process runs, use: + + # ps -AZ | grep ovs-vswitchd + system_u:system_r:openvswitch_t:s0 854 ? ovs-vswitchd + +To find out the SELinux label of file or directory, use: + + # ls -Z /etc/openvswitch/conf.db + system_u:object_r:openvswitch_rw_t:s0 /etc/openvswitch/conf.db + + +If, for example, SELinux policy for Open vSwitch is too strict, +then you might see in Open vSwitch log files "Permission Denied" +errors: + + # cat /var/log/openvswitch/ovs-vswitchd.log + vlog|INFO|opened log file /var/log/openvswitch/ovs-vswitchd.log + ovs_numa|INFO|Discovered 2 CPU cores on NUMA node 0 + ovs_numa|INFO|Discovered 1 NUMA nodes and 2 CPU cores + reconnect|INFO|unix:/var/run/openvswitch/db.sock: connecting... + reconnect|INFO|unix:/var/run/openvswitch/db.sock: connected + netlink_socket|ERR|fcntl: Permission denied + dpif_netlink|ERR|Generic Netlink family 'ovs_datapath' does not exist. + The Open vSwitch kernel module is probably not loaded. + dpif|WARN|failed to enumerate system datapaths: Permission denied + dpif|WARN|failed to create datapath ovs-system: Permission denied + + + +However, not all "Permission denied" errors are caused by SELinux. So, +before blaming too strict SELinux policy, make sure that indeed SELinux +was the one that denied OVS access to certain resources, for example, run: + + # grep "openvswitch_t" /var/log/audit/audit.log | tail + type=AVC msg=audit(1453235431.640:114671): avc: denied { getopt } for pid=4583 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=0 + + +If SELinux denied OVS access to certain resources, then make sure that you +have installed our SELinux policy package that "loosens" up distribution's +SELinux policy: + + # rpm -qa | grep openvswitch-selinux + openvswitch-selinux-policy-2.4.1-1.el7.centos.noarch + +And, then verify that this module was indeed loaded: + + # semodule -l | grep openvswitch + openvswitch-custom 1.0 + openvswitch 1.1.1 + +If you still see Permission denied errors, then take a look +into selinux/openvswitch.te file in the OVS source tree and +try to add white list rules. This is really simple, just run +SELinux audit2allow tool: + + # grep "openvswitch_t" /var/log/audit/audit.log | audit2allow -M ovslocal + + +Contributing SELinux policy patches +----------------------------------- + +Here are few things to consider before proposing SELinux policy +patches to Open vSwitch developer mailing list: + +1. The SELinux policy that resides in Open vSwitch source tree + amends SELinux policy that ships with your distributions. + + Implications of this are that it is assumed that the distribution's + Open vSwitch SELinux module must be already loaded to satisfy + dependencies. + +2. The SELinux policy that resides in Open vSwitch source tree + must work on all currently relevant Linux distributions. + + Implications of this are that you should use only those SELinux + policy features that are supported by the lowest SELinux version + out there. + +3. The SELinux policy is enforced only when state transition to + openvswitch_t domain happens. + + Implications of this are that perhaps instead of loosening SELinux + policy you can do certain things at the time rpm package is installed. + + + +Reporting Bugs +-------------- + +Please report problems to bugs@openvswitch.org. + +[INSTALL.md]:INSTALL.md diff --git a/Makefile.am b/Makefile.am index 75ccadf..a71a4d6 100644 --- a/Makefile.am +++ b/Makefile.am @@ -79,6 +79,7 @@ docs = \ INSTALL.Libvirt.md \ INSTALL.NetBSD.md \ INSTALL.RHEL.md \ + INSTALL.SELinux.md \ INSTALL.SSL.md \ INSTALL.XenServer.md \ INSTALL.userspace.md \ @@ -431,3 +432,4 @@ include datapath-windows/automake.mk include datapath-windows/include/automake.mk include windows/automake.mk include ovn/automake.mk +include selinux/automake.mk diff --git a/README.md b/README.md index b590928..82065c7 100644 --- a/README.md +++ b/README.md @@ -97,6 +97,8 @@ To use Open vSwitch... - ...without using a kernel module, read [INSTALL.userspace.md]. +- ...with SELinux, read [INSTALL.SELinux.md]. + For answers to common questions, read [FAQ.md]. To learn how to set up SSL support for Open vSwitch, read [INSTALL.SSL.md]. diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in index 00e491b..c018370 100644 --- a/rhel/openvswitch-fedora.spec.in +++ b/rhel/openvswitch-fedora.spec.in @@ -46,6 +46,7 @@ BuildRequires: systemd-units openssl openssl-devel BuildRequires: python python-twisted-core python-zope-interface PyQt4 python-six BuildRequires: desktop-file-utils BuildRequires: groff graphviz +BuildRequires: checkpolicy, selinux-policy-devel # make check dependencies BuildRequires: procps-ng %if %{with libcapng} @@ -72,6 +73,15 @@ Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic. +%package selinux-policy +Summary: Open vSwitch SELinux policy +License: ASL 2.0 +BuildArch: noarch +Requires: selinux-policy-targeted + +%description selinux-policy +Tailored Open vSwitch SELinux policy + %package -n python-openvswitch Summary: Open vSwitch python bindings License: ASL 2.0 @@ -131,6 +141,8 @@ overlays and security groups. --with-pkidir=%{_sharedstatedir}/openvswitch/pki make %{?_smp_mflags} +cd selinux +make -f %{_datadir}/selinux/devel/Makefile %install rm -rf $RPM_BUILD_ROOT @@ -172,6 +184,9 @@ install -d -m 0755 $RPM_BUILD_ROOT/%{_sharedstatedir}/openvswitch touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/conf.db touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/system-id.conf +install -p -m 644 -D selinux/openvswitch-custom.pp \ + $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp + # remove unpackaged files rm -f $RPM_BUILD_ROOT%{_bindir}/ovs-parse-backtrace \ $RPM_BUILD_ROOT%{_bindir}/ovs-pcap \ @@ -245,6 +260,9 @@ rm -rf $RPM_BUILD_ROOT fi %endif +%post selinux-policy +/usr/sbin/semodule -i %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || : + %postun %if 0%{?systemd_postun_with_restart:1} %systemd_postun_with_restart %{name}.service @@ -271,6 +289,15 @@ rm -rf $RPM_BUILD_ROOT fi %endif +%postun selinux-policy +if [ $1 -eq 0 ] ; then + /usr/sbin/semodule -r openvswitch-custom &> /dev/null || : +fi + +%files selinux-policy +%defattr(-,root,root) +%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp + %files -n python-openvswitch %{python_sitelib}/ovs %doc COPYING diff --git a/selinux/automake.mk b/selinux/automake.mk new file mode 100644 index 0000000..1088f36 --- /dev/null +++ b/selinux/automake.mk @@ -0,0 +1,9 @@ +# Copyright (C) 2016 Nicira, Inc. +# +# Copying and distribution of this file, with or without modification, +# are permitted in any medium without royalty provided the copyright +# notice and this notice are preserved. This file is offered as-is, +# without warranty of any kind. + +EXTRA_DIST += \ + selinux/openvswitch-custom.te diff --git a/selinux/openvswitch-custom.te b/selinux/openvswitch-custom.te new file mode 100644 index 0000000..fc32b97 --- /dev/null +++ b/selinux/openvswitch-custom.te @@ -0,0 +1,9 @@ +module openvswitch-custom 1.0; + +require { + type openvswitch_t; + class netlink_socket { setopt getopt create connect getattr write read }; +} + +#============= openvswitch_t ============== +allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read };