Message ID | 20160722211051.23369-1-joe@ovn.org |
---|---|
State | Accepted |
Headers | show |
On Fri, Jul 22, 2016 at 02:10:51PM -0700, Joe Stringer wrote: > When invoking ovs-ctl force-reload-kmod via '/etc/init.d/openvswitch > force-reload-kmod', spurious errors would output related to 'hostname' > and 'ip', and the system's selinux audit log would complain about some > of the invocations such as those listed at the end of this commit message. > > This patch loosens restrictions for openvswitch_t (used for ovs-ctl, as > well as all of the OVS daemons) to allow it to execute 'hostname' and > 'ip' commands, and also to execute temporary files created as > openvswitch_tmp_t. This allows force-reload-kmod to run correctly. > > Example audit logs: > type=AVC msg=audit(1468515192.912:16720): avc: denied { getattr } for > pid=11687 comm="ovs-ctl" path="/usr/bin/hostname" dev="dm-1" > ino=33557805 scontext=system_u:system_r:openvswitch_t:s0 > tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file > > type=AVC msg=audit(1468519445.766:16829): avc: denied { getattr } for > pid=13920 comm="ovs-save" path="/usr/sbin/ip" dev="dm-1" ino=67572988 > scontext=unconfined_u:system_r:openvswitch_t:s0 > tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file > > type=AVC msg=audit(1468519445.890:16833): avc: denied { execute } for > pid=13849 comm="ovs-ctl" name="tmp.jdEGHntG3Z" dev="dm-1" ino=106876762 > scontext=unconfined_u:system_r:openvswitch_t:s0 > tcontext=unconfined_u:object_r:openvswitch_tmp_t:s0 tclass=file > > Signed-off-by: Joe Stringer <joe@ovn.org> > --- LGTM. Acked-by: Flavio Leitner <fbl@sysclose.org>
On 25 July 2016 at 16:57, Flavio Leitner <fbl@sysclose.org> wrote: > On Fri, Jul 22, 2016 at 02:10:51PM -0700, Joe Stringer wrote: >> When invoking ovs-ctl force-reload-kmod via '/etc/init.d/openvswitch >> force-reload-kmod', spurious errors would output related to 'hostname' >> and 'ip', and the system's selinux audit log would complain about some >> of the invocations such as those listed at the end of this commit message. >> >> This patch loosens restrictions for openvswitch_t (used for ovs-ctl, as >> well as all of the OVS daemons) to allow it to execute 'hostname' and >> 'ip' commands, and also to execute temporary files created as >> openvswitch_tmp_t. This allows force-reload-kmod to run correctly. >> >> Example audit logs: >> type=AVC msg=audit(1468515192.912:16720): avc: denied { getattr } for >> pid=11687 comm="ovs-ctl" path="/usr/bin/hostname" dev="dm-1" >> ino=33557805 scontext=system_u:system_r:openvswitch_t:s0 >> tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file >> >> type=AVC msg=audit(1468519445.766:16829): avc: denied { getattr } for >> pid=13920 comm="ovs-save" path="/usr/sbin/ip" dev="dm-1" ino=67572988 >> scontext=unconfined_u:system_r:openvswitch_t:s0 >> tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file >> >> type=AVC msg=audit(1468519445.890:16833): avc: denied { execute } for >> pid=13849 comm="ovs-ctl" name="tmp.jdEGHntG3Z" dev="dm-1" ino=106876762 >> scontext=unconfined_u:system_r:openvswitch_t:s0 >> tcontext=unconfined_u:object_r:openvswitch_tmp_t:s0 tclass=file >> >> Signed-off-by: Joe Stringer <joe@ovn.org> >> --- > > LGTM. > Acked-by: Flavio Leitner <fbl@sysclose.org> > > Thanks for the review, applied to master.
On Tue, Jul 26, 2016 at 12:41:01PM -0700, Joe Stringer wrote: > On 25 July 2016 at 16:57, Flavio Leitner <fbl@sysclose.org> wrote: > > On Fri, Jul 22, 2016 at 02:10:51PM -0700, Joe Stringer wrote: > >> When invoking ovs-ctl force-reload-kmod via '/etc/init.d/openvswitch > >> force-reload-kmod', spurious errors would output related to 'hostname' > >> and 'ip', and the system's selinux audit log would complain about some > >> of the invocations such as those listed at the end of this commit message. > >> > >> This patch loosens restrictions for openvswitch_t (used for ovs-ctl, as > >> well as all of the OVS daemons) to allow it to execute 'hostname' and > >> 'ip' commands, and also to execute temporary files created as > >> openvswitch_tmp_t. This allows force-reload-kmod to run correctly. > >> > >> Example audit logs: > >> type=AVC msg=audit(1468515192.912:16720): avc: denied { getattr } for > >> pid=11687 comm="ovs-ctl" path="/usr/bin/hostname" dev="dm-1" > >> ino=33557805 scontext=system_u:system_r:openvswitch_t:s0 > >> tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file > >> > >> type=AVC msg=audit(1468519445.766:16829): avc: denied { getattr } for > >> pid=13920 comm="ovs-save" path="/usr/sbin/ip" dev="dm-1" ino=67572988 > >> scontext=unconfined_u:system_r:openvswitch_t:s0 > >> tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file > >> > >> type=AVC msg=audit(1468519445.890:16833): avc: denied { execute } for > >> pid=13849 comm="ovs-ctl" name="tmp.jdEGHntG3Z" dev="dm-1" ino=106876762 > >> scontext=unconfined_u:system_r:openvswitch_t:s0 > >> tcontext=unconfined_u:object_r:openvswitch_tmp_t:s0 tclass=file > >> > >> Signed-off-by: Joe Stringer <joe@ovn.org> > >> --- > > > > LGTM. > > Acked-by: Flavio Leitner <fbl@sysclose.org> > > > > > > Thanks for the review, applied to master. I also opened bug to fix on Fedora: Bug 1360465 - SELinux blocks OVS to run 'hostname' and 'ip' https://bugzilla.redhat.com/show_bug.cgi?id=1360465
On 26 July 2016 at 13:00, Flavio Leitner <fbl@sysclose.org> wrote: > On Tue, Jul 26, 2016 at 12:41:01PM -0700, Joe Stringer wrote: >> On 25 July 2016 at 16:57, Flavio Leitner <fbl@sysclose.org> wrote: >> > On Fri, Jul 22, 2016 at 02:10:51PM -0700, Joe Stringer wrote: >> >> When invoking ovs-ctl force-reload-kmod via '/etc/init.d/openvswitch >> >> force-reload-kmod', spurious errors would output related to 'hostname' >> >> and 'ip', and the system's selinux audit log would complain about some >> >> of the invocations such as those listed at the end of this commit message. >> >> >> >> This patch loosens restrictions for openvswitch_t (used for ovs-ctl, as >> >> well as all of the OVS daemons) to allow it to execute 'hostname' and >> >> 'ip' commands, and also to execute temporary files created as >> >> openvswitch_tmp_t. This allows force-reload-kmod to run correctly. >> >> >> >> Example audit logs: >> >> type=AVC msg=audit(1468515192.912:16720): avc: denied { getattr } for >> >> pid=11687 comm="ovs-ctl" path="/usr/bin/hostname" dev="dm-1" >> >> ino=33557805 scontext=system_u:system_r:openvswitch_t:s0 >> >> tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file >> >> >> >> type=AVC msg=audit(1468519445.766:16829): avc: denied { getattr } for >> >> pid=13920 comm="ovs-save" path="/usr/sbin/ip" dev="dm-1" ino=67572988 >> >> scontext=unconfined_u:system_r:openvswitch_t:s0 >> >> tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file >> >> >> >> type=AVC msg=audit(1468519445.890:16833): avc: denied { execute } for >> >> pid=13849 comm="ovs-ctl" name="tmp.jdEGHntG3Z" dev="dm-1" ino=106876762 >> >> scontext=unconfined_u:system_r:openvswitch_t:s0 >> >> tcontext=unconfined_u:object_r:openvswitch_tmp_t:s0 tclass=file >> >> >> >> Signed-off-by: Joe Stringer <joe@ovn.org> >> >> --- >> > >> > LGTM. >> > Acked-by: Flavio Leitner <fbl@sysclose.org> >> > >> > >> >> Thanks for the review, applied to master. > > I also opened bug to fix on Fedora: > > Bug 1360465 - SELinux blocks OVS to run 'hostname' and 'ip' > https://bugzilla.redhat.com/show_bug.cgi?id=1360465 > > -- > fbl Thanks. For what it's worth, when I tried, if I invoke "/usr/share/openvswitch/scripts/ovs-ctl force-reload-kmod" directly on centos7, OVS restarts unconfined. Usually in the openvswitch.spec path I will run it indirectly via /etc/init.d/openvswitch, but that isn't an option in the fedora packaging.
On Tue, Jul 26, 2016 at 01:31:00PM -0700, Joe Stringer wrote: > On 26 July 2016 at 13:00, Flavio Leitner <fbl@sysclose.org> wrote: > > On Tue, Jul 26, 2016 at 12:41:01PM -0700, Joe Stringer wrote: > >> On 25 July 2016 at 16:57, Flavio Leitner <fbl@sysclose.org> wrote: > >> > On Fri, Jul 22, 2016 at 02:10:51PM -0700, Joe Stringer wrote: > >> >> When invoking ovs-ctl force-reload-kmod via '/etc/init.d/openvswitch > >> >> force-reload-kmod', spurious errors would output related to 'hostname' > >> >> and 'ip', and the system's selinux audit log would complain about some > >> >> of the invocations such as those listed at the end of this commit message. > >> >> > >> >> This patch loosens restrictions for openvswitch_t (used for ovs-ctl, as > >> >> well as all of the OVS daemons) to allow it to execute 'hostname' and > >> >> 'ip' commands, and also to execute temporary files created as > >> >> openvswitch_tmp_t. This allows force-reload-kmod to run correctly. > >> >> > >> >> Example audit logs: > >> >> type=AVC msg=audit(1468515192.912:16720): avc: denied { getattr } for > >> >> pid=11687 comm="ovs-ctl" path="/usr/bin/hostname" dev="dm-1" > >> >> ino=33557805 scontext=system_u:system_r:openvswitch_t:s0 > >> >> tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file > >> >> > >> >> type=AVC msg=audit(1468519445.766:16829): avc: denied { getattr } for > >> >> pid=13920 comm="ovs-save" path="/usr/sbin/ip" dev="dm-1" ino=67572988 > >> >> scontext=unconfined_u:system_r:openvswitch_t:s0 > >> >> tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file > >> >> > >> >> type=AVC msg=audit(1468519445.890:16833): avc: denied { execute } for > >> >> pid=13849 comm="ovs-ctl" name="tmp.jdEGHntG3Z" dev="dm-1" ino=106876762 > >> >> scontext=unconfined_u:system_r:openvswitch_t:s0 > >> >> tcontext=unconfined_u:object_r:openvswitch_tmp_t:s0 tclass=file > >> >> > >> >> Signed-off-by: Joe Stringer <joe@ovn.org> > >> >> --- > >> > > >> > LGTM. > >> > Acked-by: Flavio Leitner <fbl@sysclose.org> > >> > >> Thanks for the review, applied to master. > > > > I also opened bug to fix on Fedora: > > > > Bug 1360465 - SELinux blocks OVS to run 'hostname' and 'ip' > > https://bugzilla.redhat.com/show_bug.cgi?id=1360465 > > > Thanks. For what it's worth, when I tried, if I invoke > "/usr/share/openvswitch/scripts/ovs-ctl force-reload-kmod" directly on > centos7, OVS restarts unconfined. Usually in the openvswitch.spec path > I will run it indirectly via /etc/init.d/openvswitch, but that isn't > an option in the fedora packaging. Right, because systemd doesn't support custom actions, so we have a few fixed actions available to play with. The plan is to move to 1:1 mapping between services and OVS daemons and run external scripts to manage those. See Aaron's patchset stepping in that direction. The 'hostname' affects openvswitch-fedora.spec as well.
diff --git a/selinux/openvswitch-custom.te b/selinux/openvswitch-custom.te index fc32b97eaf6f..47ddb562c5df 100644 --- a/selinux/openvswitch-custom.te +++ b/selinux/openvswitch-custom.te @@ -1,9 +1,16 @@ -module openvswitch-custom 1.0; +module openvswitch-custom 1.0.1; require { type openvswitch_t; + type openvswitch_tmp_t; + type ifconfig_exec_t; + type hostname_exec_t; class netlink_socket { setopt getopt create connect getattr write read }; + class file { write getattr read open execute execute_no_trans }; } #============= openvswitch_t ============== allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read }; +allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans }; +allow openvswitch_t ifconfig_exec_t:file { read getattr open execute execute_no_trans }; +allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans };
When invoking ovs-ctl force-reload-kmod via '/etc/init.d/openvswitch force-reload-kmod', spurious errors would output related to 'hostname' and 'ip', and the system's selinux audit log would complain about some of the invocations such as those listed at the end of this commit message. This patch loosens restrictions for openvswitch_t (used for ovs-ctl, as well as all of the OVS daemons) to allow it to execute 'hostname' and 'ip' commands, and also to execute temporary files created as openvswitch_tmp_t. This allows force-reload-kmod to run correctly. Example audit logs: type=AVC msg=audit(1468515192.912:16720): avc: denied { getattr } for pid=11687 comm="ovs-ctl" path="/usr/bin/hostname" dev="dm-1" ino=33557805 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file type=AVC msg=audit(1468519445.766:16829): avc: denied { getattr } for pid=13920 comm="ovs-save" path="/usr/sbin/ip" dev="dm-1" ino=67572988 scontext=unconfined_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file type=AVC msg=audit(1468519445.890:16833): avc: denied { execute } for pid=13849 comm="ovs-ctl" name="tmp.jdEGHntG3Z" dev="dm-1" ino=106876762 scontext=unconfined_u:system_r:openvswitch_t:s0 tcontext=unconfined_u:object_r:openvswitch_tmp_t:s0 tclass=file Signed-off-by: Joe Stringer <joe@ovn.org> --- selinux/openvswitch-custom.te | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-)