From patchwork Fri Jul 15 01:36:10 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Joe Stringer X-Patchwork-Id: 648631 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from archives.nicira.com (archives.nicira.com [96.126.127.54]) by ozlabs.org (Postfix) with ESMTP id 3rrFXY4fSgz9s6r for ; Fri, 15 Jul 2016 11:36:29 +1000 (AEST) Received: from archives.nicira.com (localhost [127.0.0.1]) by archives.nicira.com (Postfix) with ESMTP id 4E2BC10C69; Thu, 14 Jul 2016 18:36:28 -0700 (PDT) X-Original-To: dev@openvswitch.org Delivered-To: dev@openvswitch.org Received: from mx1e4.cudamail.com (mx1.cudamail.com [69.90.118.67]) by archives.nicira.com (Postfix) with ESMTPS id 9D81B10C67 for ; Thu, 14 Jul 2016 18:36:27 -0700 (PDT) Received: from bar5.cudamail.com (unknown [192.168.21.12]) by mx1e4.cudamail.com (Postfix) with ESMTPS id E30451E0939 for ; Thu, 14 Jul 2016 19:36:26 -0600 (MDT) X-ASG-Debug-ID: 1468546585-09eadd4f9d24ce0001-byXFYA Received: from mx3-pf2.cudamail.com ([192.168.14.1]) by bar5.cudamail.com with ESMTP id qE8SCdLK0NDCPoN3 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 14 Jul 2016 19:36:25 -0600 (MDT) X-Barracuda-Envelope-From: joe@ovn.org X-Barracuda-RBL-Trusted-Forwarder: 192.168.14.1 Received: from unknown (HELO relay4-d.mail.gandi.net) (217.70.183.196) by mx3-pf2.cudamail.com with ESMTPS (DHE-RSA-AES256-SHA encrypted); 15 Jul 2016 01:36:25 -0000 Received-SPF: pass (mx3-pf2.cudamail.com: SPF record at ovn.org designates 217.70.183.196 as permitted sender) X-Barracuda-Apparent-Source-IP: 217.70.183.196 X-Barracuda-RBL-IP: 217.70.183.196 Received: from mfilter30-d.gandi.net (mfilter30-d.gandi.net [217.70.178.161]) by relay4-d.mail.gandi.net (Postfix) with ESMTP id ABCDB172095; Fri, 15 Jul 2016 03:36:22 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mfilter30-d.gandi.net Received: from relay4-d.mail.gandi.net ([IPv6:::ffff:217.70.183.196]) by mfilter30-d.gandi.net (mfilter30-d.gandi.net [::ffff:10.0.15.180]) (amavisd-new, port 10024) with ESMTP id bGkzevUn5b61; Fri, 15 Jul 2016 03:36:21 +0200 (CEST) X-Originating-IP: 208.91.1.34 Received: from archer.eng.vmware.com (unknown [208.91.1.34]) (Authenticated sender: joe@ovn.org) by relay4-d.mail.gandi.net (Postfix) with ESMTPSA id EA2FB172094; Fri, 15 Jul 2016 03:36:19 +0200 (CEST) X-CudaMail-Envelope-Sender: joe@ovn.org From: Joe Stringer To: dev@openvswitch.org X-CudaMail-Whitelist-To: dev@openvswitch.org X-CudaMail-MID: CM-V2-713057199 X-CudaMail-DTE: 071416 X-CudaMail-Originating-IP: 217.70.183.196 Date: Thu, 14 Jul 2016 18:36:10 -0700 X-ASG-Orig-Subj: [##CM-V2-713057199##][RFC PATCH] selinux: Allow ovs-ctl force-reload-kmod. Message-Id: <20160715013610.24288-1-joe@ovn.org> X-Mailer: git-send-email 2.9.0 X-Barracuda-Connect: UNKNOWN[192.168.14.1] X-Barracuda-Start-Time: 1468546585 X-Barracuda-Encrypted: DHE-RSA-AES256-SHA X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi X-ASG-Whitelist: Header =?UTF-8?B?eFwtY3VkYW1haWxcLXdoaXRlbGlzdFwtdG8=?= X-Virus-Scanned: by bsmtpd at cudamail.com X-Barracuda-BRTS-Status: 1 Cc: fbl@sysclose.org, aatteka@ovn.org Subject: [ovs-dev] [RFC PATCH] selinux: Allow ovs-ctl force-reload-kmod. X-BeenThere: dev@openvswitch.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: dev-bounces@openvswitch.org Sender: "dev" When invoking ovs-ctl force-reload-kmod via '/etc/init.d/openvswitch force-reload-kmod', spurious errors would output related to 'hostname' and 'ip', and the system's selinux audit log would complain about some of the invocations such as those listed at the end of this commit message. This patch loosens restrictions for openvswitch_t (used for ovs-ctl, as well as all of the OVS daemons) to allow it to execute 'hostname' and 'ip' commands, and also to execute temporary files created as openvswitch_tmp_t. This allows force-reload-kmod to run correctly. Example audit logs: type=AVC msg=audit(1468515192.912:16720): avc: denied { getattr } for pid=11687 comm="ovs-ctl" path="/usr/bin/hostname" dev="dm-1" ino=33557805 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file type=AVC msg=audit(1468519445.766:16829): avc: denied { getattr } for pid=13920 comm="ovs-save" path="/usr/sbin/ip" dev="dm-1" ino=67572988 scontext=unconfined_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file type=AVC msg=audit(1468519445.890:16833): avc: denied { execute } for pid=13849 comm="ovs-ctl" name="tmp.jdEGHntG3Z" dev="dm-1" ino=106876762 scontext=unconfined_u:system_r:openvswitch_t:s0 tcontext=unconfined_u:object_r:openvswitch_tmp_t:s0 tclass=file Signed-off-by: Joe Stringer --- selinux/openvswitch-custom.te | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/selinux/openvswitch-custom.te b/selinux/openvswitch-custom.te index fc32b97eaf6f..47ddb562c5df 100644 --- a/selinux/openvswitch-custom.te +++ b/selinux/openvswitch-custom.te @@ -1,9 +1,16 @@ -module openvswitch-custom 1.0; +module openvswitch-custom 1.0.1; require { type openvswitch_t; + type openvswitch_tmp_t; + type ifconfig_exec_t; + type hostname_exec_t; class netlink_socket { setopt getopt create connect getattr write read }; + class file { write getattr read open execute execute_no_trans }; } #============= openvswitch_t ============== allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read }; +allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans }; +allow openvswitch_t ifconfig_exec_t:file { read getattr open execute execute_no_trans }; +allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans };