From patchwork Mon Jan 7 23:48:19 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yi-Hung Wei X-Patchwork-Id: 1021670 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="QLVinOZX"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 43YXKN5VPGz9sCr for ; Tue, 8 Jan 2019 10:53:44 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 4EA0DB6D; Mon, 7 Jan 2019 23:53:41 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 0F152A67 for ; Mon, 7 Jan 2019 23:53:40 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pf1-f193.google.com (mail-pf1-f193.google.com [209.85.210.193]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 9BDA87FC for ; Mon, 7 Jan 2019 23:53:39 +0000 (UTC) Received: by mail-pf1-f193.google.com with SMTP id w73so941777pfk.10 for ; Mon, 07 Jan 2019 15:53:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=MfeVnJUVN+3WKvLcAsAhrSs9BqWMcmDQaAZAqRqtwTk=; b=QLVinOZXMVuAKK6Tvm5qVvyYt0M5Wv9hkKTvd6m1KLXM6U7/4n/QorOf2bzi4hvn8o 6X50Ml1s7bZm4rXesfAOOTv/33c2hyGQUFmdUvyCqKkcsun2nL5smFlJosUsSE5ZsVB7 SrbIyyeKY/K3/Y6xwAKkfxy2lqkZwof/Q7yhyBhBV31l3vMeN99834zo+bT9wA3i9EUh zLkYzxjvO1rZlOHCFjuZSQm6EegtifAEBh+3XwfXcniw58xpjPaK9WnE39vu1A55f8sv S+1X7nP8bGpdTbaKfrd5zXFBvcXqDB8DMTAIk40rOD7bkAZwX0nIaQWfGnFVvQioThqe gzwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=MfeVnJUVN+3WKvLcAsAhrSs9BqWMcmDQaAZAqRqtwTk=; b=hOstnXmzTO8+vTYj61S7LIamiVt64TW5QhJgGx7Fz4fR4/R8kCzqUk/mJoRPQe57U2 H1Y/cJUwEGf+R0uI0y7zqwMDSEr56xybyGSvLVcn8WZYpROh9+XtYVrAoSchc74TkkBt 5YVpcb129aQxLP5frP2ZGBtoMAUCh1sWX1KX07WjrdPv8OlSZl4dq8T/lXI4v6wZ/5JP yeeo9rSvlGobwovI1Qsk+BYWK5VwS3msIRpcuxecckWFNK/6KnHpluf5y9sST1GAp1F6 3+70rmBhC3IFsxrO1Hv1v4ph7QLe0O4aJxoxea8FxYSRb9Kq4yW23Hthvn6ttbf4Kwv4 A9kQ== X-Gm-Message-State: AJcUukfprynf5H/AYTDoz98u4jUPzjLj19ZcCY3XBQ5eH0rtHxpVzsp8 aZI3K+hWHHy3XqgoysOg4E3JVDnF X-Google-Smtp-Source: ALg8bN6KEsxDz6GZ3HG4DrJy5OU7prhgzIFd0d9ojyQanLyBpv8l/P05yOERKUm1DcVLk/vJcowI8g== X-Received: by 2002:a63:235f:: with SMTP id u31mr12552260pgm.122.1546905218543; Mon, 07 Jan 2019 15:53:38 -0800 (PST) Received: from Husky.eng.vmware.com ([66.170.99.1]) by smtp.gmail.com with ESMTPSA id w136sm98037027pfd.169.2019.01.07.15.53.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 07 Jan 2019 15:53:37 -0800 (PST) From: Yi-Hung Wei To: dev@openvswitch.org, aatteka@ovn.org Date: Mon, 7 Jan 2019 15:48:19 -0800 Message-Id: <1546904899-26470-1-git-send-email-yihung.wei@gmail.com> X-Mailer: git-send-email 2.7.4 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH] selinux: Add missing permissions for ovs-kmod-ctl X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org Starting from OVS 2.10, ovs-vswitchd may fail to run after system reboot since it fails to load ovs kernel module. It is because the conntrack zone limit feature introduced in OVS 2.10 now depends on nf_conntrack_ipv4/6 kernel module, and the SELinux prevents it to load the two kernel modules. Example log of the AVC violations: type=AVC msg=audit(1546903594.735:29): avc: denied { execute_no_trans } for pid=820 comm="modprobe" path="/usr/bin/bash" dev="dm-0" ino=50337111 scontext=system_u:system_r:openvswitch_load_module_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file type=AVC msg=audit(1546903594.791:30): avc: denied { module_request } for pid=819 comm="modprobe" kmod="nf_conntrack-2" scontext=system_u:system_r:openvswitch_load_module_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system This patch adds the missing permissions for modprobe command in ovs-kmod-ctl so that the aforementioned issue is resolved. VMWare-BZ: #2257534 Signed-off-by: Yi-Hung Wei Acked-by: Aaron Conole --- selinux/openvswitch-custom.te.in | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in index 4a16e5eefdf7..26495828a655 100644 --- a/selinux/openvswitch-custom.te.in +++ b/selinux/openvswitch-custom.te.in @@ -16,6 +16,7 @@ require { type init_t; type init_var_run_t; type insmod_exec_t; + type kernel_t; type hostname_exec_t; type modules_conf_t; type modules_object_t; @@ -32,7 +33,6 @@ require { @begin_dpdk@ type hugetlbfs_t; - type kernel_t; type svirt_t; type svirt_image_t; type svirt_tmpfs_t; @@ -51,7 +51,7 @@ require { class netlink_audit_socket { create nlmsg_relay audit_write read write }; class netlink_socket { setopt getopt create connect getattr write read }; class sock_file { write }; - class system module_load; + class system { module_load module_request }; class process { sigchld signull transition noatsecure siginh rlimitinh }; class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom ioctl }; @@ -110,6 +110,7 @@ allow openvswitch_load_module_t bin_t:file { execute execute_no_trans map }; allow openvswitch_load_module_t init_t:unix_stream_socket { getattr ioctl read write }; allow openvswitch_load_module_t init_var_run_t:dir { getattr read open search }; allow openvswitch_load_module_t insmod_exec_t:file { execute execute_no_trans getattr map open read }; +allow openvswitch_load_module_t kernel_t:system module_request; allow openvswitch_load_module_t modules_conf_t:dir { getattr open read search }; allow openvswitch_load_module_t modules_conf_t:file { getattr open read }; allow openvswitch_load_module_t modules_object_t:file { map getattr open read }; @@ -120,7 +121,7 @@ allow openvswitch_load_module_t plymouth_exec_t:file { getattr read open execute allow openvswitch_load_module_t proc_t:file { getattr open read }; allow openvswitch_load_module_t self:system module_load; allow openvswitch_load_module_t self:process { siginh noatsecure rlimitinh siginh }; -allow openvswitch_load_module_t shell_exec_t:file { map execute read open getattr }; +allow openvswitch_load_module_t shell_exec_t:file { map execute execute_no_trans read open getattr }; allow openvswitch_load_module_t sssd_public_t:dir { getattr open read search }; allow openvswitch_load_module_t sssd_public_t:file { getattr map open read }; allow openvswitch_load_module_t sssd_t:unix_stream_socket connectto;