diff mbox

[ovs-dev] selinux: Allow ovs-ctl force-reload-kmod.

Message ID 20160722211051.23369-1-joe@ovn.org
State Accepted
Headers show

Commit Message

Joe Stringer July 22, 2016, 9:10 p.m. UTC 
When invoking ovs-ctl force-reload-kmod via '/etc/init.d/openvswitch
force-reload-kmod', spurious errors would output related to 'hostname'
and 'ip', and the system's selinux audit log would complain about some
of the invocations such as those listed at the end of this commit message.

This patch loosens restrictions for openvswitch_t (used for ovs-ctl, as
well as all of the OVS daemons) to allow it to execute 'hostname' and
'ip' commands, and also to execute temporary files created as
openvswitch_tmp_t. This allows force-reload-kmod to run correctly.

Example audit logs:
type=AVC msg=audit(1468515192.912:16720): avc:  denied  { getattr } for
pid=11687 comm="ovs-ctl" path="/usr/bin/hostname" dev="dm-1"
ino=33557805 scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file

type=AVC msg=audit(1468519445.766:16829): avc:  denied  { getattr } for
pid=13920 comm="ovs-save" path="/usr/sbin/ip" dev="dm-1" ino=67572988
scontext=unconfined_u:system_r:openvswitch_t:s0
tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file

type=AVC msg=audit(1468519445.890:16833): avc:  denied  { execute } for
pid=13849 comm="ovs-ctl" name="tmp.jdEGHntG3Z" dev="dm-1" ino=106876762
scontext=unconfined_u:system_r:openvswitch_t:s0
tcontext=unconfined_u:object_r:openvswitch_tmp_t:s0 tclass=file

Signed-off-by: Joe Stringer <joe@ovn.org>
---
 selinux/openvswitch-custom.te | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

Comments

Flavio Leitner July 25, 2016, 11:57 p.m. UTC | #1 
On Fri, Jul 22, 2016 at 02:10:51PM -0700, Joe Stringer wrote:
> When invoking ovs-ctl force-reload-kmod via '/etc/init.d/openvswitch
> force-reload-kmod', spurious errors would output related to 'hostname'
> and 'ip', and the system's selinux audit log would complain about some
> of the invocations such as those listed at the end of this commit message.
> 
> This patch loosens restrictions for openvswitch_t (used for ovs-ctl, as
> well as all of the OVS daemons) to allow it to execute 'hostname' and
> 'ip' commands, and also to execute temporary files created as
> openvswitch_tmp_t. This allows force-reload-kmod to run correctly.
> 
> Example audit logs:
> type=AVC msg=audit(1468515192.912:16720): avc:  denied  { getattr } for
> pid=11687 comm="ovs-ctl" path="/usr/bin/hostname" dev="dm-1"
> ino=33557805 scontext=system_u:system_r:openvswitch_t:s0
> tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
> 
> type=AVC msg=audit(1468519445.766:16829): avc:  denied  { getattr } for
> pid=13920 comm="ovs-save" path="/usr/sbin/ip" dev="dm-1" ino=67572988
> scontext=unconfined_u:system_r:openvswitch_t:s0
> tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
> 
> type=AVC msg=audit(1468519445.890:16833): avc:  denied  { execute } for
> pid=13849 comm="ovs-ctl" name="tmp.jdEGHntG3Z" dev="dm-1" ino=106876762
> scontext=unconfined_u:system_r:openvswitch_t:s0
> tcontext=unconfined_u:object_r:openvswitch_tmp_t:s0 tclass=file
> 
> Signed-off-by: Joe Stringer <joe@ovn.org>
> ---

LGTM.
Acked-by: Flavio Leitner <fbl@sysclose.org>
Joe Stringer July 26, 2016, 7:41 p.m. UTC | #2 
On 25 July 2016 at 16:57, Flavio Leitner <fbl@sysclose.org> wrote:
> On Fri, Jul 22, 2016 at 02:10:51PM -0700, Joe Stringer wrote:
>> When invoking ovs-ctl force-reload-kmod via '/etc/init.d/openvswitch
>> force-reload-kmod', spurious errors would output related to 'hostname'
>> and 'ip', and the system's selinux audit log would complain about some
>> of the invocations such as those listed at the end of this commit message.
>>
>> This patch loosens restrictions for openvswitch_t (used for ovs-ctl, as
>> well as all of the OVS daemons) to allow it to execute 'hostname' and
>> 'ip' commands, and also to execute temporary files created as
>> openvswitch_tmp_t. This allows force-reload-kmod to run correctly.
>>
>> Example audit logs:
>> type=AVC msg=audit(1468515192.912:16720): avc:  denied  { getattr } for
>> pid=11687 comm="ovs-ctl" path="/usr/bin/hostname" dev="dm-1"
>> ino=33557805 scontext=system_u:system_r:openvswitch_t:s0
>> tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
>>
>> type=AVC msg=audit(1468519445.766:16829): avc:  denied  { getattr } for
>> pid=13920 comm="ovs-save" path="/usr/sbin/ip" dev="dm-1" ino=67572988
>> scontext=unconfined_u:system_r:openvswitch_t:s0
>> tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
>>
>> type=AVC msg=audit(1468519445.890:16833): avc:  denied  { execute } for
>> pid=13849 comm="ovs-ctl" name="tmp.jdEGHntG3Z" dev="dm-1" ino=106876762
>> scontext=unconfined_u:system_r:openvswitch_t:s0
>> tcontext=unconfined_u:object_r:openvswitch_tmp_t:s0 tclass=file
>>
>> Signed-off-by: Joe Stringer <joe@ovn.org>
>> ---
>
> LGTM.
> Acked-by: Flavio Leitner <fbl@sysclose.org>
>
>

Thanks for the review, applied to master.
Flavio Leitner July 26, 2016, 8 p.m. UTC | #3 
On Tue, Jul 26, 2016 at 12:41:01PM -0700, Joe Stringer wrote:
> On 25 July 2016 at 16:57, Flavio Leitner <fbl@sysclose.org> wrote:
> > On Fri, Jul 22, 2016 at 02:10:51PM -0700, Joe Stringer wrote:
> >> When invoking ovs-ctl force-reload-kmod via '/etc/init.d/openvswitch
> >> force-reload-kmod', spurious errors would output related to 'hostname'
> >> and 'ip', and the system's selinux audit log would complain about some
> >> of the invocations such as those listed at the end of this commit message.
> >>
> >> This patch loosens restrictions for openvswitch_t (used for ovs-ctl, as
> >> well as all of the OVS daemons) to allow it to execute 'hostname' and
> >> 'ip' commands, and also to execute temporary files created as
> >> openvswitch_tmp_t. This allows force-reload-kmod to run correctly.
> >>
> >> Example audit logs:
> >> type=AVC msg=audit(1468515192.912:16720): avc:  denied  { getattr } for
> >> pid=11687 comm="ovs-ctl" path="/usr/bin/hostname" dev="dm-1"
> >> ino=33557805 scontext=system_u:system_r:openvswitch_t:s0
> >> tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
> >>
> >> type=AVC msg=audit(1468519445.766:16829): avc:  denied  { getattr } for
> >> pid=13920 comm="ovs-save" path="/usr/sbin/ip" dev="dm-1" ino=67572988
> >> scontext=unconfined_u:system_r:openvswitch_t:s0
> >> tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
> >>
> >> type=AVC msg=audit(1468519445.890:16833): avc:  denied  { execute } for
> >> pid=13849 comm="ovs-ctl" name="tmp.jdEGHntG3Z" dev="dm-1" ino=106876762
> >> scontext=unconfined_u:system_r:openvswitch_t:s0
> >> tcontext=unconfined_u:object_r:openvswitch_tmp_t:s0 tclass=file
> >>
> >> Signed-off-by: Joe Stringer <joe@ovn.org>
> >> ---
> >
> > LGTM.
> > Acked-by: Flavio Leitner <fbl@sysclose.org>
> >
> >
> 
> Thanks for the review, applied to master.

I also opened bug to fix on Fedora:

Bug 1360465 - SELinux blocks OVS to run 'hostname' and 'ip'
https://bugzilla.redhat.com/show_bug.cgi?id=1360465
Joe Stringer July 26, 2016, 8:31 p.m. UTC | #4 
On 26 July 2016 at 13:00, Flavio Leitner <fbl@sysclose.org> wrote:
> On Tue, Jul 26, 2016 at 12:41:01PM -0700, Joe Stringer wrote:
>> On 25 July 2016 at 16:57, Flavio Leitner <fbl@sysclose.org> wrote:
>> > On Fri, Jul 22, 2016 at 02:10:51PM -0700, Joe Stringer wrote:
>> >> When invoking ovs-ctl force-reload-kmod via '/etc/init.d/openvswitch
>> >> force-reload-kmod', spurious errors would output related to 'hostname'
>> >> and 'ip', and the system's selinux audit log would complain about some
>> >> of the invocations such as those listed at the end of this commit message.
>> >>
>> >> This patch loosens restrictions for openvswitch_t (used for ovs-ctl, as
>> >> well as all of the OVS daemons) to allow it to execute 'hostname' and
>> >> 'ip' commands, and also to execute temporary files created as
>> >> openvswitch_tmp_t. This allows force-reload-kmod to run correctly.
>> >>
>> >> Example audit logs:
>> >> type=AVC msg=audit(1468515192.912:16720): avc:  denied  { getattr } for
>> >> pid=11687 comm="ovs-ctl" path="/usr/bin/hostname" dev="dm-1"
>> >> ino=33557805 scontext=system_u:system_r:openvswitch_t:s0
>> >> tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
>> >>
>> >> type=AVC msg=audit(1468519445.766:16829): avc:  denied  { getattr } for
>> >> pid=13920 comm="ovs-save" path="/usr/sbin/ip" dev="dm-1" ino=67572988
>> >> scontext=unconfined_u:system_r:openvswitch_t:s0
>> >> tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
>> >>
>> >> type=AVC msg=audit(1468519445.890:16833): avc:  denied  { execute } for
>> >> pid=13849 comm="ovs-ctl" name="tmp.jdEGHntG3Z" dev="dm-1" ino=106876762
>> >> scontext=unconfined_u:system_r:openvswitch_t:s0
>> >> tcontext=unconfined_u:object_r:openvswitch_tmp_t:s0 tclass=file
>> >>
>> >> Signed-off-by: Joe Stringer <joe@ovn.org>
>> >> ---
>> >
>> > LGTM.
>> > Acked-by: Flavio Leitner <fbl@sysclose.org>
>> >
>> >
>>
>> Thanks for the review, applied to master.
>
> I also opened bug to fix on Fedora:
>
> Bug 1360465 - SELinux blocks OVS to run 'hostname' and 'ip'
> https://bugzilla.redhat.com/show_bug.cgi?id=1360465
>
> --
> fbl

Thanks. For what it's worth, when I tried, if I invoke
"/usr/share/openvswitch/scripts/ovs-ctl force-reload-kmod" directly on
centos7, OVS restarts unconfined. Usually in the openvswitch.spec path
I will run it indirectly via /etc/init.d/openvswitch, but that isn't
an option in the fedora packaging.
Flavio Leitner July 26, 2016, 8:45 p.m. UTC | #5 
On Tue, Jul 26, 2016 at 01:31:00PM -0700, Joe Stringer wrote:
> On 26 July 2016 at 13:00, Flavio Leitner <fbl@sysclose.org> wrote:
> > On Tue, Jul 26, 2016 at 12:41:01PM -0700, Joe Stringer wrote:
> >> On 25 July 2016 at 16:57, Flavio Leitner <fbl@sysclose.org> wrote:
> >> > On Fri, Jul 22, 2016 at 02:10:51PM -0700, Joe Stringer wrote:
> >> >> When invoking ovs-ctl force-reload-kmod via '/etc/init.d/openvswitch
> >> >> force-reload-kmod', spurious errors would output related to 'hostname'
> >> >> and 'ip', and the system's selinux audit log would complain about some
> >> >> of the invocations such as those listed at the end of this commit message.
> >> >>
> >> >> This patch loosens restrictions for openvswitch_t (used for ovs-ctl, as
> >> >> well as all of the OVS daemons) to allow it to execute 'hostname' and
> >> >> 'ip' commands, and also to execute temporary files created as
> >> >> openvswitch_tmp_t. This allows force-reload-kmod to run correctly.
> >> >>
> >> >> Example audit logs:
> >> >> type=AVC msg=audit(1468515192.912:16720): avc:  denied  { getattr } for
> >> >> pid=11687 comm="ovs-ctl" path="/usr/bin/hostname" dev="dm-1"
> >> >> ino=33557805 scontext=system_u:system_r:openvswitch_t:s0
> >> >> tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
> >> >>
> >> >> type=AVC msg=audit(1468519445.766:16829): avc:  denied  { getattr } for
> >> >> pid=13920 comm="ovs-save" path="/usr/sbin/ip" dev="dm-1" ino=67572988
> >> >> scontext=unconfined_u:system_r:openvswitch_t:s0
> >> >> tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
> >> >>
> >> >> type=AVC msg=audit(1468519445.890:16833): avc:  denied  { execute } for
> >> >> pid=13849 comm="ovs-ctl" name="tmp.jdEGHntG3Z" dev="dm-1" ino=106876762
> >> >> scontext=unconfined_u:system_r:openvswitch_t:s0
> >> >> tcontext=unconfined_u:object_r:openvswitch_tmp_t:s0 tclass=file
> >> >>
> >> >> Signed-off-by: Joe Stringer <joe@ovn.org>
> >> >> ---
> >> >
> >> > LGTM.
> >> > Acked-by: Flavio Leitner <fbl@sysclose.org>
> >>
> >> Thanks for the review, applied to master.
> >
> > I also opened bug to fix on Fedora:
> >
> > Bug 1360465 - SELinux blocks OVS to run 'hostname' and 'ip'
> > https://bugzilla.redhat.com/show_bug.cgi?id=1360465
> >
> Thanks. For what it's worth, when I tried, if I invoke
> "/usr/share/openvswitch/scripts/ovs-ctl force-reload-kmod" directly on
> centos7, OVS restarts unconfined. Usually in the openvswitch.spec path
> I will run it indirectly via /etc/init.d/openvswitch, but that isn't
> an option in the fedora packaging.

Right, because systemd doesn't support custom actions, so we have
a few fixed actions available to play with.  The plan is to move to
1:1 mapping between services and OVS daemons and run external scripts
to manage those.  See Aaron's patchset stepping in that direction.

The 'hostname' affects openvswitch-fedora.spec as well.
diff mbox

Patch

diff --git a/selinux/openvswitch-custom.te b/selinux/openvswitch-custom.te
index fc32b97eaf6f..47ddb562c5df 100644
--- a/selinux/openvswitch-custom.te
+++ b/selinux/openvswitch-custom.te
@@ -1,9 +1,16 @@ 
-module openvswitch-custom 1.0;
+module openvswitch-custom 1.0.1;
 
 require {
         type openvswitch_t;
+        type openvswitch_tmp_t;
+        type ifconfig_exec_t;
+        type hostname_exec_t;
         class netlink_socket { setopt getopt create connect getattr write read };
+        class file { write getattr read open execute execute_no_trans };
 }
 
 #============= openvswitch_t ==============
 allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read };
+allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans };
+allow openvswitch_t ifconfig_exec_t:file { read getattr open execute execute_no_trans };
+allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans };