Message ID | 1599152566-79233-1-git-send-email-yihung.wei@gmail.com |
---|---|
State | Accepted |
Headers | show |
Series | [ovs-dev] selinux: Add missing permissions for ovs-kmod-ctl | expand |
On 9/3/2020 10:02 AM, Yi-Hung Wei wrote: > On RHEL 8, a SELinux policy is missing when ovs-kmod-ctl use modprobe > to load kernel modules. This patch adds the missing permissions based > on /var/log/audit/audit.log > > Example log of the AVC violations: > type=AVC msg=audit(1599075387.136:65): avc: denied { read } for > pid=1472 comm="modprobe" name="modules.alias.bin" dev="dm-0" ino=586629 > scontext=system_u:system_r:openvswitch_load_module_t:s0 > tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0 > > type=AVC msg=audit(1599085253.148:45): avc: denied { open } for pid=1355 > comm="modprobe" path="/usr/lib/modules/4.18.0-193.el8.x86_64/modules.dep.bin" > dev="dm-0" ino=624258 scontext=system_u:system_r:openvswitch_load_module_t:s0 > tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0 > > VMWare-BZ: #2633569 > Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com> > --- > selinux/openvswitch-custom.te.in | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in > index 2adaf231fe63..beb0ab0d6612 100644 > --- a/selinux/openvswitch-custom.te.in > +++ b/selinux/openvswitch-custom.te.in > @@ -19,6 +19,7 @@ require { > type kernel_t; > type hostname_exec_t; > type modules_conf_t; > + type modules_dep_t; > type modules_object_t; > type passwd_file_t; > type plymouth_exec_t; > @@ -121,6 +122,7 @@ allow openvswitch_load_module_t insmod_exec_t:file { execute execute_no_trans ge > allow openvswitch_load_module_t kernel_t:system module_request; > allow openvswitch_load_module_t modules_conf_t:dir { getattr open read search }; > allow openvswitch_load_module_t modules_conf_t:file { getattr open read }; > +allow openvswitch_load_module_t modules_dep_t:file { getattr map open read }; > allow openvswitch_load_module_t modules_object_t:file { map getattr open read }; > allow openvswitch_load_module_t modules_object_t:dir { getattr open read search }; > allow openvswitch_load_module_t openvswitch_load_module_exec_t:file { entrypoint }; > Acked-by: Greg Rose <gvrose8192@gmail.com>
Acked-by: Ansis Atteka <aatteka@ovn.org> On Thu, Sep 3, 2020, 10:03 AM Yi-Hung Wei <yihung.wei@gmail.com> wrote: > On RHEL 8, a SELinux policy is missing when ovs-kmod-ctl use modprobe > to load kernel modules. This patch adds the missing permissions based > on /var/log/audit/audit.log > > Example log of the AVC violations: > type=AVC msg=audit(1599075387.136:65): avc: denied { read } for > pid=1472 comm="modprobe" name="modules.alias.bin" dev="dm-0" ino=586629 > scontext=system_u:system_r:openvswitch_load_module_t:s0 > tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0 > > type=AVC msg=audit(1599085253.148:45): avc: denied { open } for > pid=1355 > comm="modprobe" > path="/usr/lib/modules/4.18.0-193.el8.x86_64/modules.dep.bin" > dev="dm-0" ino=624258 > scontext=system_u:system_r:openvswitch_load_module_t:s0 > tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0 > > VMWare-BZ: #2633569 > Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com> > --- > selinux/openvswitch-custom.te.in | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/selinux/openvswitch-custom.te.in b/selinux/ > openvswitch-custom.te.in > index 2adaf231fe63..beb0ab0d6612 100644 > --- a/selinux/openvswitch-custom.te.in > +++ b/selinux/openvswitch-custom.te.in > @@ -19,6 +19,7 @@ require { > type kernel_t; > type hostname_exec_t; > type modules_conf_t; > + type modules_dep_t; > type modules_object_t; > type passwd_file_t; > type plymouth_exec_t; > @@ -121,6 +122,7 @@ allow openvswitch_load_module_t insmod_exec_t:file { > execute execute_no_trans ge > allow openvswitch_load_module_t kernel_t:system module_request; > allow openvswitch_load_module_t modules_conf_t:dir { getattr open read > search }; > allow openvswitch_load_module_t modules_conf_t:file { getattr open read }; > +allow openvswitch_load_module_t modules_dep_t:file { getattr map open > read }; > allow openvswitch_load_module_t modules_object_t:file { map getattr open > read }; > allow openvswitch_load_module_t modules_object_t:dir { getattr open read > search }; > allow openvswitch_load_module_t openvswitch_load_module_exec_t:file { > entrypoint }; > -- > 2.7.4 > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev >
On 9/3/20 8:21 PM, Ansis wrote: > Acked-by: Ansis Atteka <aatteka@ovn.org> > > On Thu, Sep 3, 2020, 10:03 AM Yi-Hung Wei <yihung.wei@gmail.com> wrote: > >> On RHEL 8, a SELinux policy is missing when ovs-kmod-ctl use modprobe >> to load kernel modules. This patch adds the missing permissions based >> on /var/log/audit/audit.log >> >> Example log of the AVC violations: >> type=AVC msg=audit(1599075387.136:65): avc: denied { read } for >> pid=1472 comm="modprobe" name="modules.alias.bin" dev="dm-0" ino=586629 >> scontext=system_u:system_r:openvswitch_load_module_t:s0 >> tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0 >> >> type=AVC msg=audit(1599085253.148:45): avc: denied { open } for >> pid=1355 >> comm="modprobe" >> path="/usr/lib/modules/4.18.0-193.el8.x86_64/modules.dep.bin" >> dev="dm-0" ino=624258 >> scontext=system_u:system_r:openvswitch_load_module_t:s0 >> tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0 >> >> VMWare-BZ: #2633569 >> Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com> >> --- Thanks! Applied to master and backported down to 2.13. Best regards, Ilya Maximets.
diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in index 2adaf231fe63..beb0ab0d6612 100644 --- a/selinux/openvswitch-custom.te.in +++ b/selinux/openvswitch-custom.te.in @@ -19,6 +19,7 @@ require { type kernel_t; type hostname_exec_t; type modules_conf_t; + type modules_dep_t; type modules_object_t; type passwd_file_t; type plymouth_exec_t; @@ -121,6 +122,7 @@ allow openvswitch_load_module_t insmod_exec_t:file { execute execute_no_trans ge allow openvswitch_load_module_t kernel_t:system module_request; allow openvswitch_load_module_t modules_conf_t:dir { getattr open read search }; allow openvswitch_load_module_t modules_conf_t:file { getattr open read }; +allow openvswitch_load_module_t modules_dep_t:file { getattr map open read }; allow openvswitch_load_module_t modules_object_t:file { map getattr open read }; allow openvswitch_load_module_t modules_object_t:dir { getattr open read search }; allow openvswitch_load_module_t openvswitch_load_module_exec_t:file { entrypoint };
On RHEL 8, a SELinux policy is missing when ovs-kmod-ctl use modprobe to load kernel modules. This patch adds the missing permissions based on /var/log/audit/audit.log Example log of the AVC violations: type=AVC msg=audit(1599075387.136:65): avc: denied { read } for pid=1472 comm="modprobe" name="modules.alias.bin" dev="dm-0" ino=586629 scontext=system_u:system_r:openvswitch_load_module_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0 type=AVC msg=audit(1599085253.148:45): avc: denied { open } for pid=1355 comm="modprobe" path="/usr/lib/modules/4.18.0-193.el8.x86_64/modules.dep.bin" dev="dm-0" ino=624258 scontext=system_u:system_r:openvswitch_load_module_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0 VMWare-BZ: #2633569 Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com> --- selinux/openvswitch-custom.te.in | 2 ++ 1 file changed, 2 insertions(+)