| Message ID | 20180219145543.9011-1-aconole@redhat.com |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | [ovs-dev] selinux: allow dpdkvhostuserclient sockets with newer libvirt | expand |
On 19 February 2018 at 06:55, Aaron Conole <aconole@redhat.com> wrote: > Newer libvirt and openstack versions will now label the unix socket as > an `svirt_tmpfs_t` object. This means that in order to support > deploying with the recommended configuration (using a > dpdkvhostuserclient socket), additional permissions need to be > installed as part of the selinux policy. > > An example of some of the AVC violations: > > type=AVC msg=audit(1518752799.102:978): avc: denied { write } > for pid=14368 comm="ovs-vswitchd" name="vhost0" dev="dm-0" ino=94 > scontext=system_u:system_r:openvswitch_t:s0 > tcontext=system_u:object_r:svirt_tmp_t:s0 tclass=sock_file > > type=AVC msg=audit(1518816172.126:1318): avc: denied { connectto } > for pid=32717 comm="ovs-vswitchd" path="/tmp/vhost0" > scontext=system_u:system_r:openvswitch_t:s0 > tcontext=system_u:system_r:svirt_t:s0:c106,c530 > tclass=unix_stream_socket > > Signed-off-by: Aaron Conole <aconole@redhat.com> Acked-By: Ansis Atteka <aatteka@ovn.org> Thanks for the patch. Will push to master,
> diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in > index c1a774f0e..7b9c1c7a0 100644 > --- a/selinux/openvswitch-custom.te.in > +++ b/selinux/openvswitch-custom.te.in > @@ -14,6 +14,7 @@ require { > type hugetlbfs_t; > type kernel_t; > type svirt_image_t; Is missing type svirt_t; ? The compilation failed: openvswitch-custom.te:53:ERROR 'unknown type svirt_t' at token ';' on line 1042: allow openvswitch_t svirt_tmpfs_t:sock_file { read write append getattr open }; allow openvswitch_t svirt_t:unix_stream_socket { connectto read write getattr sendto recvfrom setopt }; Thanks ~! > + type svirt_tmpfs_t; > type vfio_device_t; > @end_dpdk@ > +allow openvswitch_t svirt_t:unix_stream_socket { connectto read write getattr sendto recvfrom setopt }; > allow openvswitch_t vfio_device_t:chr_file { read write open ioctl getattr };
Guoshuai Li <ligs@dtdream.com> writes: >> diff --git a/selinux/openvswitch-custom.te.in >> b/selinux/openvswitch-custom.te.in >> index c1a774f0e..7b9c1c7a0 100644 >> --- a/selinux/openvswitch-custom.te.in >> +++ b/selinux/openvswitch-custom.te.in >> @@ -14,6 +14,7 @@ require { >> type hugetlbfs_t; >> type kernel_t; >> type svirt_image_t; > Is missing type svirt_t; ? > > The compilation failed: > openvswitch-custom.te:53:ERROR 'unknown type svirt_t' at token ';' on > line 1042: > allow openvswitch_t svirt_tmpfs_t:sock_file { read write append > getattr open }; > allow openvswitch_t svirt_t:unix_stream_socket { connectto read write > getattr sendto recvfrom setopt }; > > Thanks ~! I'll send a fix ASAP. Sorry for this! >> + type svirt_tmpfs_t; >> type vfio_device_t; >> @end_dpdk@ > >> +allow openvswitch_t svirt_t:unix_stream_socket { connectto read write getattr sendto recvfrom setopt }; >> allow openvswitch_t vfio_device_t:chr_file { read write open ioctl getattr };
diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in index c1a774f0e..7b9c1c7a0 100644 --- a/selinux/openvswitch-custom.te.in +++ b/selinux/openvswitch-custom.te.in @@ -14,6 +14,7 @@ require { type hugetlbfs_t; type kernel_t; type svirt_image_t; + type svirt_tmpfs_t; type vfio_device_t; @end_dpdk@ @@ -26,6 +27,7 @@ require { class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom }; @begin_dpdk@ + class sock_file { read write append getattr open }; class tun_socket { relabelfrom relabelto create }; @end_dpdk@ } @@ -50,5 +52,8 @@ allow openvswitch_t hugetlbfs_t:file { create unlink }; allow openvswitch_t kernel_t:unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom }; allow openvswitch_t self:tun_socket { relabelfrom relabelto create }; allow openvswitch_t svirt_image_t:file { getattr read write }; +allow openvswitch_t svirt_tmpfs_t:file { read write }; +allow openvswitch_t svirt_tmpfs_t:sock_file { read write append getattr open }; +allow openvswitch_t svirt_t:unix_stream_socket { connectto read write getattr sendto recvfrom setopt }; allow openvswitch_t vfio_device_t:chr_file { read write open ioctl getattr }; @end_dpdk@
Newer libvirt and openstack versions will now label the unix socket as an `svirt_tmpfs_t` object. This means that in order to support deploying with the recommended configuration (using a dpdkvhostuserclient socket), additional permissions need to be installed as part of the selinux policy. An example of some of the AVC violations: type=AVC msg=audit(1518752799.102:978): avc: denied { write } for pid=14368 comm="ovs-vswitchd" name="vhost0" dev="dm-0" ino=94 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:svirt_tmp_t:s0 tclass=sock_file type=AVC msg=audit(1518816172.126:1318): avc: denied { connectto } for pid=32717 comm="ovs-vswitchd" path="/tmp/vhost0" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:svirt_t:s0:c106,c530 tclass=unix_stream_socket Signed-off-by: Aaron Conole <aconole@redhat.com> --- selinux/openvswitch-custom.te.in | 5 +++++ 1 file changed, 5 insertions(+)