From patchwork Tue Mar 20 21:05:15 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Aaron Conole X-Patchwork-Id: 888451 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 405QTq0wCXz9s0m for ; Wed, 21 Mar 2018 08:06:39 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 3521711B0; Tue, 20 Mar 2018 21:05:31 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 34E8010CC for ; Tue, 20 Mar 2018 21:05:27 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id C2C315D0 for ; Tue, 20 Mar 2018 21:05:25 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 12C354273629; Tue, 20 Mar 2018 21:05:25 +0000 (UTC) Received: from dhcp-25.97.bos.redhat.com (unknown [10.18.25.61]) by smtp.corp.redhat.com (Postfix) with ESMTP id CF088AB584; Tue, 20 Mar 2018 21:05:24 +0000 (UTC) From: Aaron Conole To: dev@openvswitch.org Date: Tue, 20 Mar 2018 17:05:15 -0400 Message-Id: <20180320210518.9982-2-aconole@redhat.com> In-Reply-To: <20180320210518.9982-1-aconole@redhat.com> References: <20180320210518.9982-1-aconole@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Tue, 20 Mar 2018 21:05:25 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Tue, 20 Mar 2018 21:05:25 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'aconole@redhat.com' RCPT:'' X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, T_RP_MATCHES_RCVD autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Lukas Vrabec , Ansis Atteka , Flavio Leitner Subject: [ovs-dev] [PATCH 1/4] ovs-kmod-ctl: introduce a kernel module load script X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org Currently, Open vSwitch on linux embeds the logic of loading and unloading kernel modules into the ovs-ctl and ovs-lib script files. This works, but it means that there is no way to leverage extended filesystem attributes to grant fine grain permissions relating to module loading. The split out utility 'ovs-kmod-ctl' will be used in an upcoming commit for RHEL-based distributions to have a separate transition domain that will allow module loading to be given to a separate selinux domain from the openvswitch_t domain. Signed-off-by: Aaron Conole --- debian/openvswitch-switch.install | 1 + debian/openvswitch-switch.manpages | 1 + rhel/openvswitch-fedora.spec.in | 2 + rhel/openvswitch.spec.in | 2 + utilities/.gitignore | 1 + utilities/automake.mk | 5 + utilities/ovs-ctl.in | 32 +----- utilities/ovs-kmod-ctl.8 | 103 +++++++++++++++++ utilities/ovs-kmod-ctl.in | 228 +++++++++++++++++++++++++++++++++++++ utilities/ovs-lib.in | 12 +- 10 files changed, 350 insertions(+), 37 deletions(-) create mode 100644 utilities/ovs-kmod-ctl.8 create mode 100644 utilities/ovs-kmod-ctl.in diff --git a/debian/openvswitch-switch.install b/debian/openvswitch-switch.install index bfb391fe8..6a6e9a543 100644 --- a/debian/openvswitch-switch.install +++ b/debian/openvswitch-switch.install @@ -12,5 +12,6 @@ usr/sbin/ovs-vswitchd usr/sbin/ovsdb-server usr/share/openvswitch/scripts/ovs-check-dead-ifs usr/share/openvswitch/scripts/ovs-ctl +usr/share/openvswitch/scripts/ovs-kmod-ctl usr/share/openvswitch/scripts/ovs-save usr/share/openvswitch/vswitch.ovsschema diff --git a/debian/openvswitch-switch.manpages b/debian/openvswitch-switch.manpages index a2f661a3e..47a1ba174 100644 --- a/debian/openvswitch-switch.manpages +++ b/debian/openvswitch-switch.manpages @@ -2,6 +2,7 @@ ovsdb/ovsdb-server.1 utilities/ovs-ctl.8 utilities/ovs-dpctl-top.8 utilities/ovs-dpctl.8 +utilities/ovs-kmod-ctl.8 utilities/ovs-pcap.1 utilities/ovs-tcpdump.8 utilities/ovs-tcpundump.1 diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in index 8a804942b..8fbc985ce 100644 --- a/rhel/openvswitch-fedora.spec.in +++ b/rhel/openvswitch-fedora.spec.in @@ -542,6 +542,7 @@ fi %{_datadir}/openvswitch/scripts/ovs-save %{_datadir}/openvswitch/scripts/ovs-vtep %{_datadir}/openvswitch/scripts/ovs-ctl +%{_datadir}/openvswitch/scripts/ovs-kmod-ctl %{_datadir}/openvswitch/scripts/ovs-systemd-reload %config %{_datadir}/openvswitch/vswitch.ovsschema %config %{_datadir}/openvswitch/vtep.ovsschema @@ -574,6 +575,7 @@ fi %{_mandir}/man8/ovs-ctl.8* %{_mandir}/man8/ovs-dpctl.8* %{_mandir}/man8/ovs-dpctl-top.8* +%{_mandir}/man8/ovs-kmod-ctl.8* %{_mandir}/man8/ovs-ofctl.8* %{_mandir}/man8/ovs-pki.8* %{_mandir}/man8/ovs-vsctl.8* diff --git a/rhel/openvswitch.spec.in b/rhel/openvswitch.spec.in index 876990698..71d5afbdb 100644 --- a/rhel/openvswitch.spec.in +++ b/rhel/openvswitch.spec.in @@ -236,6 +236,7 @@ exit 0 /usr/share/man/man8/ovs-ctl.8.gz /usr/share/man/man8/ovs-dpctl.8.gz /usr/share/man/man8/ovs-dpctl-top.8.gz +/usr/share/man/man8/ovs-kmod-ctl.8.gz /usr/share/man/man8/ovs-ofctl.8.gz /usr/share/man/man8/ovs-parse-backtrace.8.gz /usr/share/man/man8/ovs-pki.8.gz @@ -249,6 +250,7 @@ exit 0 /usr/share/openvswitch/scripts/ovs-bugtool-* /usr/share/openvswitch/scripts/ovs-check-dead-ifs /usr/share/openvswitch/scripts/ovs-ctl +/usr/share/openvswitch/scripts/ovs-kmod-ctl /usr/share/openvswitch/scripts/ovs-lib /usr/share/openvswitch/scripts/ovs-save /usr/share/openvswitch/scripts/ovs-vtep diff --git a/utilities/.gitignore b/utilities/.gitignore index 34c58f20f..eb2a69bf3 100644 --- a/utilities/.gitignore +++ b/utilities/.gitignore @@ -13,6 +13,7 @@ /ovs-dpctl.8 /ovs-dpctl-top /ovs-dpctl-top.8 +/ovs-kmod-ctl /ovs-l3ping /ovs-l3ping.8 /ovs-lib diff --git a/utilities/automake.mk b/utilities/automake.mk index 60cf1c5ed..d8f2374a3 100644 --- a/utilities/automake.mk +++ b/utilities/automake.mk @@ -20,6 +20,7 @@ endif scripts_SCRIPTS += \ utilities/ovs-check-dead-ifs \ utilities/ovs-ctl \ + utilities/ovs-kmod-ctl \ utilities/ovs-save scripts_DATA += utilities/ovs-lib @@ -44,6 +45,7 @@ EXTRA_DIST += \ utilities/ovs-dev.py \ utilities/ovs-docker \ utilities/ovs-dpctl-top.in \ + utilities/ovs-kmod-ctl.in \ utilities/ovs-l3ping.in \ utilities/ovs-lib.in \ utilities/ovs-parse-backtrace.in \ @@ -63,6 +65,7 @@ MAN_ROOTS += \ utilities/ovs-ctl.8 \ utilities/ovs-dpctl.8.in \ utilities/ovs-dpctl-top.8.in \ + utilities/ovs-kmod-ctl.8 \ utilities/ovs-l3ping.8.in \ utilities/ovs-ofctl.8.in \ utilities/ovs-parse-backtrace.8 \ @@ -81,6 +84,7 @@ CLEANFILES += \ utilities/ovs-dpctl.8 \ utilities/ovs-dpctl-top \ utilities/ovs-dpctl-top.8 \ + utilities/ovs-kmod-ctl \ utilities/ovs-l3ping \ utilities/ovs-l3ping.8 \ utilities/ovs-lib \ @@ -107,6 +111,7 @@ man_MANS += \ utilities/ovs-testcontroller.8 \ utilities/ovs-dpctl.8 \ utilities/ovs-dpctl-top.8 \ + utilities/ovs-kmod-ctl.8 \ utilities/ovs-l3ping.8 \ utilities/ovs-ofctl.8 \ utilities/ovs-parse-backtrace.8 \ diff --git a/utilities/ovs-ctl.in b/utilities/ovs-ctl.in index ef06dd967..8fdf8909a 100755 --- a/utilities/ovs-ctl.in +++ b/utilities/ovs-ctl.in @@ -30,37 +30,9 @@ done ## start ## ## ----- ## -insert_mods () { - # Try loading openvswitch again. - action "Inserting openvswitch module" modprobe openvswitch -} - insert_mod_if_required () { - # If this kernel has no module support, expect we're done. - if test ! -e /proc/modules - then - log_success_msg "Kernel has no loadable module support. Skipping modprobe" - return 0 - fi - - # If openvswitch is already loaded then we're done. - test -e /sys/module/openvswitch && return 0 - - # Load openvswitch. If that's successful then we're done. - insert_mods && return 0 - - # If the bridge module is loaded, then that might be blocking - # openvswitch. Try to unload it, if there are no bridges. - test -e /sys/module/bridge || return 1 - bridges=`echo /sys/class/net/*/bridge | sed 's,/sys/class/net/,,g;s,/bridge,,g'` - if test "$bridges" != "*"; then - log_warning_msg "not removing bridge module because bridges exist ($bridges)" - return 1 - fi - action "removing bridge module" rmmod bridge || return 1 - - # Try loading openvswitch again. - insert_mods + ## This takes care of inserting any required kernel modules + ovs_kmod_ctl insert } set_hostname () { diff --git a/utilities/ovs-kmod-ctl.8 b/utilities/ovs-kmod-ctl.8 new file mode 100644 index 000000000..bc09a8a74 --- /dev/null +++ b/utilities/ovs-kmod-ctl.8 @@ -0,0 +1,103 @@ +.\" -*- nroff -*- +.de IQ +. br +. ns +. IP "\\$1" +.. +.de ST +. PP +. RS -0.15in +. I "\\$1" +. RE +.. +.TH ovs\-ctl 8 "February 2018" "Open vSwitch" "Open vSwitch Manual" +.ds PN ovs\-ctl +. +.SH NAME +ovs\-kmod\-ctl \- OVS startup helper script for loading kernel modules +. +.SH SYNOPSIS +\fBovs\-kmod\-ctl\fR \fBinsert +.br +\fBovs\-kmod\-ctl \fBremove +.br +\fBovs\-ctl help \fR| \fB\-h \fR| \fB\-\-help +.br +\fBovs\-ctl \-\-version +.br +\fBovs\-kmod\-ctl version +. +.SH DESCRIPTION +. +.PP +The \fBovs\-kmod\-ctl\fR program is responsible for inserting and +remove Open vSwitch kernel modules. It is not meant to be invoked +directly by system administrators but to be called internally by +system startup scripts. +. +.PP +Each of \fBovs\-ctl\fR's commands is described separately below. +. +.SH "The ``insert'' command" +. +.PP +The \fBinsert\fR command loads the Open vSwitch kernel modules, if +needed. If this fails, and the Linux bridge module is loaded but no +bridges exist, it tries to unload the bridge module and tries loading +the Open vSwitch kernel module again. (This is because the Open +vSwitch kernel module cannot coexist with the Linux bridge module +before 2.6.37.) +. +.SH "The ``remove'' command" +. +.PP +The \fBremove\fR command unloads the Open vSwitch kernel module (including +the bridge compatibility module, if loaded) and any associated vport +modules. +. +.SH "EXIT STATUS" +. +\fBovs\-kmod\-ctl\fR exits with status 0 on success and nonzero on +failure. The \fBinsert\fR command is considered to succeed if kernel +modules are already loaded; the \fBremove\fR command is considered to +succeed if none of the kernel modules are loaded. +. +.SH "ENVIRONMENT" +. +The following environment variables affect \fBovs\-kmod\-ctl\fR: +. +.IP "\fBPATH\fR" +\fBovs\-kmod\-ctl\fR does not hardcode the location of any of the programs +that it runs. \fBovs\-kmod\-ctl\fR will add the \fIsbindir\fR and +\fIbindir\fR that were specified at \fBconfigure\fR time to +\fBPATH\fR, if they are not already present. +. +.IP "\fBOVS_LOGDIR\fR" +.IQ "\fBOVS_RUNDIR\fR" +.IQ "\fBOVS_DBDIR\fR" +.IQ "\fBOVS_SYSCONFDIR\fR" +.IQ "\fBOVS_PKGDATADIR\fR" +.IQ "\fBOVS_BINDIR\fR" +.IQ "\fBOVS_SBINDIR\fR" +Setting one of these variables in the environment overrides the +respective \fBconfigure\fR option, both for \fBovs\-kmod\-ctl\fR itself +and for the other Open vSwitch programs that it runs. +. +.SH "FILES" +. +\fBovs\-kmod\-ctl\fR uses the following files: +. +.IP "\fBovs\-lib" +Shell function library used internally by \fBovs\-kmod\-ctl\fR. It must +be installed in the same directory as \fBovs\-kmod\-ctl\fR. +. +.SH "EXAMPLE" +. +.PP +The files \fBdebian/openvswitch\-switch.init\fR and +\fBxenserver/etc_init.d_openvswitch\fR in the Open vSwitch source +distribution are good examples of how to use \fBovs\-ctl\fR. +. +.SH "SEE ALSO" +. +\fBREADME.rst\fR, \fBovs\-ctl\fR(8) diff --git a/utilities/ovs-kmod-ctl.in b/utilities/ovs-kmod-ctl.in new file mode 100644 index 000000000..b85f6cd04 --- /dev/null +++ b/utilities/ovs-kmod-ctl.in @@ -0,0 +1,228 @@ +#! /bin/sh +# Copyright (C) 2018 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +case $0 in + */*) dir0=`echo "$0" | sed 's,/[^/]*$,,'` ;; + *) dir0=./ ;; +esac +. "$dir0/ovs-lib" || exit 1 + +for dir in "$sbindir" "$bindir" /sbin /bin /usr/sbin /usr/bin; do + case :$PATH: in + *:$dir:*) ;; + *) PATH=$PATH:$dir ;; + esac +done + +insert_mods () { + # Try loading openvswitch again. + action "Inserting openvswitch module" modprobe openvswitch +} + +insert_kmod_if_required() { + # If this kernel has no module support, expect we're done. + if test ! -e /proc/modules + then + log_success_msg "Kernel has no loadable module support. Skipping modprobe" + return 0 + fi + + # If openvswitch is already loaded then we're done. + test -e /sys/module/openvswitch && return 0 + + # Load openvswitch. If that's successful then we're done. + insert_mods && return 0 + + # If the bridge module is loaded, then that might be blocking + # openvswitch. Try to unload it, if there are no bridges. + test -e /sys/module/bridge || return 1 + bridges=`echo /sys/class/net/*/bridge | sed 's,/sys/class/net/,,g;s,/bridge,,g'` + if test "$bridges" != "*"; then + log_warning_msg "not removing bridge module because bridges exist ($bridges)" + return 1 + fi + action "removing bridge module" rmmod bridge || return 1 + + # Try loading openvswitch again. + insert_mods +} + +remove_kmods() { + for vport in `awk '/^vport_/ { print $1 }' /proc/modules`; do + action "Removing $vport module" rmmod $vport + done + + if test -e /sys/module/openvswitch; then + action "Removing openvswitch module" rmmod openvswitch + fi +} + +set_defaults () { + SYSTEM_ID= + + DELETE_BRIDGES=no + DELETE_TRANSIENT_PORTS=no + + DAEMON_CWD=/ + FORCE_COREFILES=yes + MLOCKALL=yes + SELF_CONFINEMENT=yes + MONITOR=yes + OVS_USER= + OVSDB_SERVER=yes + OVS_VSWITCHD=yes + OVSDB_SERVER_PRIORITY=-10 + OVS_VSWITCHD_PRIORITY=-10 + OVSDB_SERVER_WRAPPER= + OVS_VSWITCHD_WRAPPER= + + DB_FILE=$dbdir/conf.db + DB_SOCK=$rundir/db.sock + DB_SCHEMA=$datadir/vswitch.ovsschema + EXTRA_DBS= + + PROTOCOL=gre + DPORT= + SPORT= + + type_file=$etcdir/system-type.conf + version_file=$etcdir/system-version.conf + + if test -e "$type_file" ; then + SYSTEM_TYPE=`cat $type_file` + SYSTEM_VERSION=`cat $version_file` + elif test -e "@sysconfdir@/os-release"; then + SYSTEM_TYPE=`. '@sysconfdir@/os-release' && echo "$ID"` + SYSTEM_VERSION=`. '@sysconfdir@/os-release' && echo "$VERSION_ID"` + elif (lsb_release --id) >/dev/null 2>&1; then + SYSTEM_TYPE=`lsb_release --id -s` + system_release=`lsb_release --release -s` + system_codename=`lsb_release --codename -s` + SYSTEM_VERSION="${system_release}-${system_codename}" + else + SYSTEM_TYPE=unknown + SYSTEM_VERSION=unknown + fi +} + +usage () { + set_defaults + cat <&2 "$0: unknown option \"$arg\" (use --help for help)" + return + fi + eval $var=\$value +} + +set_defaults +extra_ids= +command= +for arg +do + case $arg in + -h | --help) + usage + ;; + -V | --version) + echo "$0 (Open vSwitch) $VERSION" + exit 0 + ;; + --[a-z]*=*) + option=`expr X"$arg" : 'X--\([^=]*\)'` + value=`expr X"$arg" : 'X[^=]*=\(.*\)'` + type=string + set_option + ;; + --no-[a-z]*) + option=`expr X"$arg" : 'X--no-\(.*\)'` + value=no + type=bool + set_option + ;; + --[a-z]*) + option=`expr X"$arg" : 'X--\(.*\)'` + value=yes + type=bool + set_option + ;; + -*) + echo >&2 "$0: unknown option \"$arg\" (use --help for help)" + exit 1 + ;; + *) + if test X"$command" = X; then + command=$arg + else + echo >&2 "$0: exactly one non-option argument required (use --help for help)" + exit 1 + fi + ;; + esac +done +case $command in + remove) + remove_kmods + ;; + insert) + insert_kmod_if_required + ;; + help) + usage + ;; + '') + echo >&2 "$0: missing command name (use --help for help)" + exit 1 + ;; + *) + echo >&2 "$0: unknown command \"$command\" (use --help for help)" + exit 1 + ;; +esac diff --git a/utilities/ovs-lib.in b/utilities/ovs-lib.in index cf6b6d296..106eaddd9 100644 --- a/utilities/ovs-lib.in +++ b/utilities/ovs-lib.in @@ -449,6 +449,10 @@ ovs_vsctl () { ## force-reload-kmod ## ## ----------------- ## +ovs_kmod_ctl () { + "$dir0/ovs-kmod-ctl" "$@" +} + internal_interfaces () { # Outputs a list of internal interfaces: # @@ -563,13 +567,7 @@ force_reload_kmod () { action "Removing datapath: $dp" ovs-dpctl del-dp "$dp" done - for vport in `awk '/^vport_/ { print $1 }' /proc/modules`; do - action "Removing $vport module" rmmod $vport - done - - if test -e /sys/module/openvswitch; then - action "Removing openvswitch module" rmmod openvswitch - fi + ovs_kmod_ctl remove # Start vswitchd by asking it to wait till flow restore is finished. flow_restore_wait From patchwork Tue Mar 20 21:05:16 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Aaron Conole X-Patchwork-Id: 888452 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 405QVH30y4z9s0R for ; Wed, 21 Mar 2018 08:07:03 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 1C4D011CC; Tue, 20 Mar 2018 21:05:32 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 7370010CC for ; Tue, 20 Mar 2018 21:05:27 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 002255D3 for ; Tue, 20 Mar 2018 21:05:25 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 4B377814DF4C; Tue, 20 Mar 2018 21:05:25 +0000 (UTC) Received: from dhcp-25.97.bos.redhat.com (unknown [10.18.25.61]) by smtp.corp.redhat.com (Postfix) with ESMTP id 18E69AB583; Tue, 20 Mar 2018 21:05:25 +0000 (UTC) From: Aaron Conole To: dev@openvswitch.org Date: Tue, 20 Mar 2018 17:05:16 -0400 Message-Id: <20180320210518.9982-3-aconole@redhat.com> In-Reply-To: <20180320210518.9982-1-aconole@redhat.com> References: <20180320210518.9982-1-aconole@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Tue, 20 Mar 2018 21:05:25 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Tue, 20 Mar 2018 21:05:25 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'aconole@redhat.com' RCPT:'' X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, T_RP_MATCHES_RCVD autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Lukas Vrabec , Ansis Atteka , Flavio Leitner Subject: [ovs-dev] [PATCH 2/4] selinux: create a transition type for module loading X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org Defines a type 'openvswitch_load_module_t' used exclusively for loading modules. This means that the 'openvswitch_t' domain won't require access to the module loading facility - such access can only happen after transitioning through the 'openvswitch_load_module_exec_t' transition context. A future commit will label the appropriate script with extended attributes to make use of this new domain. Signed-off-by: Aaron Conole --- selinux/openvswitch-custom.te.in | 79 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 74 insertions(+), 5 deletions(-) diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in index db3cf6d8d..31e8fab15 100644 --- a/selinux/openvswitch-custom.te.in +++ b/selinux/openvswitch-custom.te.in @@ -1,13 +1,31 @@ module openvswitch-custom 1.0.1; require { + role system_r; + role object_r; + type openvswitch_t; type openvswitch_rw_t; type openvswitch_tmp_t; type openvswitch_var_run_t; + type bin_t; type ifconfig_exec_t; + type init_t; + type init_var_run_t; + type insmod_exec_t; type hostname_exec_t; + type modules_conf_t; + type modules_object_t; + type passwd_file_t; + type plymouth_exec_t; + type proc_t; + type shell_exec_t; + type sssd_t; + type sssd_public_t; + type sssd_var_lib_t; + type sysfs_t; + type systemd_unit_file_t; type tun_tap_device_t; @begin_dpdk@ @@ -21,18 +39,36 @@ require { class capability { dac_override audit_write }; class chr_file { write getattr read open ioctl }; - class dir { write remove_name add_name lock read }; - class file { write getattr read open execute execute_no_trans create unlink }; + class dir { write remove_name add_name lock read getattr search open }; + class fd { use }; + class file { write getattr read open execute execute_no_trans create unlink map entrypoint lock ioctl }; + class fifo_file { getattr read write append ioctl lock open }; + class filesystem getattr; + class lnk_file { read open }; class netlink_audit_socket { create nlmsg_relay audit_write read write }; class netlink_socket { setopt getopt create connect getattr write read }; - class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom }; + class sock_file { write }; + class system module_load; + class process { sigchld signull transition noatsecure siginh rlimitinh }; + class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom ioctl }; @begin_dpdk@ - class sock_file { read write append getattr open }; + class sock_file { read append getattr open }; class tun_socket { relabelfrom relabelto create }; @end_dpdk@ } +#============= Set up the transition domain ============= +type openvswitch_load_module_exec_t; +type openvswitch_load_module_t; + +domain_type(openvswitch_load_module_exec_t); +domain_type(openvswitch_load_module_t); +role object_r types openvswitch_load_module_exec_t; +role system_r types openvswitch_load_module_t; +domain_entry_file(openvswitch_load_module_t, openvswitch_load_module_exec_t); +domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load_module_t); + #============= openvswitch_t ============== allow openvswitch_t self:capability { dac_override audit_write }; allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write }; @@ -41,10 +77,11 @@ allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr w allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans }; allow openvswitch_t ifconfig_exec_t:file { read getattr open execute execute_no_trans }; -allow openvswitch_t openvswitch_rw_t:dir { write remove_name add_name lock read }; +allow openvswitch_t openvswitch_rw_t:dir { write remove_name add_name lock read getattr open search }; allow openvswitch_t openvswitch_rw_t:file { write getattr read open execute execute_no_trans create unlink }; allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans }; allow openvswitch_t openvswitch_tmp_t:unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom }; +allow openvswitch_t openvswitch_var_run_t:dir { getattr read open search }; allow openvswitch_t tun_tap_device_t:chr_file { read write getattr open ioctl }; @begin_dpdk@ @@ -58,3 +95,35 @@ allow openvswitch_t svirt_tmpfs_t:sock_file { read write append getattr open }; allow openvswitch_t svirt_t:unix_stream_socket { connectto read write getattr sendto recvfrom setopt }; allow openvswitch_t vfio_device_t:chr_file { read write open ioctl getattr }; @end_dpdk@ + +#============= Transition allows ============= +type_transition openvswitch_t openvswitch_load_module_exec_t:process openvswitch_load_module_t; +allow openvswitch_t openvswitch_load_module_exec_t:file { execute read open getattr }; +allow openvswitch_t openvswitch_load_module_t:process transition; + +allow openvswitch_load_module_t bin_t:file { execute execute_no_trans map }; +allow openvswitch_load_module_t init_t:unix_stream_socket { getattr ioctl read write }; +allow openvswitch_load_module_t init_var_run_t:dir { getattr read open search }; +allow openvswitch_load_module_t insmod_exec_t:file { execute execute_no_trans getattr map open read }; +allow openvswitch_load_module_t modules_conf_t:dir { getattr open read search }; +allow openvswitch_load_module_t modules_conf_t:file { getattr open read }; +allow openvswitch_load_module_t modules_object_t:file { map getattr open read }; +allow openvswitch_load_module_t modules_object_t:dir { getattr open read search }; +allow openvswitch_load_module_t openvswitch_load_module_exec_t:file { entrypoint }; +allow openvswitch_load_module_t passwd_file_t:file { getattr open read }; +allow openvswitch_load_module_t plymouth_exec_t:file { getattr read open execute execute_no_trans map }; +allow openvswitch_load_module_t proc_t:file { getattr open read }; +allow openvswitch_load_module_t self:system module_load; +allow openvswitch_load_module_t self:process { siginh noatsecure rlimitinh siginh }; +allow openvswitch_load_module_t shell_exec_t:file { map execute read open getattr }; +allow openvswitch_load_module_t sssd_public_t:dir { getattr open read search }; +allow openvswitch_load_module_t sssd_public_t:file { getattr map open read }; +allow openvswitch_load_module_t sssd_t:unix_stream_socket connectto; +allow openvswitch_load_module_t sssd_var_lib_t:dir { getattr open read search }; +allow openvswitch_load_module_t sssd_var_lib_t:sock_file write; +allow openvswitch_load_module_t sysfs_t:dir { getattr open read search }; +allow openvswitch_load_module_t sysfs_t:file { open read }; +allow openvswitch_load_module_t sysfs_t:lnk_file { read open }; +allow openvswitch_load_module_t systemd_unit_file_t:dir getattr; + +kernel_load_module(openvswitch_load_module_t); From patchwork Tue Mar 20 21:05:17 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Aaron Conole X-Patchwork-Id: 888448 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 405QSt66y3z9s0R for ; Wed, 21 Mar 2018 08:05:50 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 2354110E1; Tue, 20 Mar 2018 21:05:29 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 9D70D10C9 for ; Tue, 20 Mar 2018 21:05:26 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 4D5315D4 for ; Tue, 20 Mar 2018 21:05:26 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 85EF940267D7; Tue, 20 Mar 2018 21:05:25 +0000 (UTC) Received: from dhcp-25.97.bos.redhat.com (unknown [10.18.25.61]) by smtp.corp.redhat.com (Postfix) with ESMTP id 51DA2AB3F2; Tue, 20 Mar 2018 21:05:25 +0000 (UTC) From: Aaron Conole To: dev@openvswitch.org Date: Tue, 20 Mar 2018 17:05:17 -0400 Message-Id: <20180320210518.9982-4-aconole@redhat.com> In-Reply-To: <20180320210518.9982-1-aconole@redhat.com> References: <20180320210518.9982-1-aconole@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Tue, 20 Mar 2018 21:05:25 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Tue, 20 Mar 2018 21:05:25 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'aconole@redhat.com' RCPT:'' X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, T_RP_MATCHES_RCVD autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Lukas Vrabec , Ansis Atteka , Flavio Leitner Subject: [ovs-dev] [PATCH 3/4] selinux: introduce domain transitioned kmod helper X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org This commit uses the previously defined selinux label to transition from the openvswitch_t to openvswitch_load_module_t domain, by way of a specially labelled ovs-kmod-ctl helper. Signed-off-by: Aaron Conole --- selinux/.gitignore | 4 ++++ selinux/automake.mk | 3 ++- selinux/openvswitch-custom.fc.in | 1 + 3 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 selinux/openvswitch-custom.fc.in diff --git a/selinux/.gitignore b/selinux/.gitignore index 83a0afb51..64e834cd1 100644 --- a/selinux/.gitignore +++ b/selinux/.gitignore @@ -1 +1,5 @@ openvswitch-custom.te +openvswitch-custom.fc +openvswitch-custom.pp +openvswitch-custom.if +tmp/ diff --git a/selinux/automake.mk b/selinux/automake.mk index b37e8f337..c7dfe6ed5 100644 --- a/selinux/automake.mk +++ b/selinux/automake.mk @@ -6,11 +6,12 @@ # without warranty of any kind. EXTRA_DIST += \ + selinux/openvswitch-custom.fc.in \ selinux/openvswitch-custom.te.in PHONY: selinux-policy -selinux-policy: selinux/openvswitch-custom.te +selinux-policy: selinux/openvswitch-custom.te selinux/openvswitch-custom.fc $(MAKE) -C selinux/ -f /usr/share/selinux/devel/Makefile CLEANFILES += \ diff --git a/selinux/openvswitch-custom.fc.in b/selinux/openvswitch-custom.fc.in new file mode 100644 index 000000000..c2756d04b --- /dev/null +++ b/selinux/openvswitch-custom.fc.in @@ -0,0 +1 @@ +@pkgdatadir@/scripts/ovs-kmod-ctl -- gen_context(system_u:object_r:openvswitch_load_module_exec_t,s0) From patchwork Tue Mar 20 21:05:18 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Aaron Conole X-Patchwork-Id: 888449 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 405QTN4g5rz9s0R for ; Wed, 21 Mar 2018 08:06:16 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 2F4FC116D; Tue, 20 Mar 2018 21:05:30 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 0352D10D9 for ; Tue, 20 Mar 2018 21:05:27 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 86374360 for ; Tue, 20 Mar 2018 21:05:26 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id D0D518185928; Tue, 20 Mar 2018 21:05:25 +0000 (UTC) Received: from dhcp-25.97.bos.redhat.com (unknown [10.18.25.61]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8CC5B94562; Tue, 20 Mar 2018 21:05:25 +0000 (UTC) From: Aaron Conole To: dev@openvswitch.org Date: Tue, 20 Mar 2018 17:05:18 -0400 Message-Id: <20180320210518.9982-5-aconole@redhat.com> In-Reply-To: <20180320210518.9982-1-aconole@redhat.com> References: <20180320210518.9982-1-aconole@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Tue, 20 Mar 2018 21:05:25 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Tue, 20 Mar 2018 21:05:25 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'aconole@redhat.com' RCPT:'' X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, T_RP_MATCHES_RCVD autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Lukas Vrabec , Ansis Atteka , Flavio Leitner Subject: [ovs-dev] [PATCH 4/4] rhel: selinux-policy to invoke proper label macros X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org The rpm doesn't invoke all of the required selinux helpers to enact labeling or relabeling on all versions of Fedora/RHEL. According to: https://fedoraproject.org/wiki/SELinux/IndependentPolicy This commit switches to use the selinux rpm macros which will ensure that all of the labels defined in the .fc.in file are applied properly. Signed-off-by: Aaron Conole --- rhel/openvswitch-fedora.spec.in | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/rhel/openvswitch-fedora.spec.in b/rhel/openvswitch-fedora.spec.in index 8fbc985ce..b606cb7e0 100644 --- a/rhel/openvswitch-fedora.spec.in +++ b/rhel/openvswitch-fedora.spec.in @@ -340,6 +340,9 @@ rm -f $RPM_BUILD_ROOT%{_bindir}/ovs-parse-backtrace \ %clean rm -rf $RPM_BUILD_ROOT +%pre selinux-policy +%selinux_relabel_pre -s targeted + %preun %if 0%{?systemd_preun:1} %systemd_preun %{name}.service @@ -444,7 +447,7 @@ fi %endif %post selinux-policy -/usr/sbin/semodule -i %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || : +%selinux_modules_install -s targeted %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp %postun %if 0%{?systemd_postun:1} @@ -476,9 +479,12 @@ fi %postun selinux-policy if [ $1 -eq 0 ] ; then - /usr/sbin/semodule -r openvswitch-custom &> /dev/null || : + %selinux_modules_uninstall -s targeted openvswitch-custom fi +%posttrans selinux-policy +%selinux_relabel_post -s targeted + %files selinux-policy %defattr(-,root,root) %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp