On Tue, 20 Mar 2018 17:05:14 -0400 Aaron Conole <acon...@redhat.com> wrote:
> On linux systems, the initial start of openvswitch attempts to load > the openvswitch.ko kernel module. This module allows openvswitch to > utilize the kernel datapath. > > Some of these linux systems, notably Fedora and RHEL, use selinux to > enforce additional restrictions on various processes by way of > allowing or disallowing access from a specific selinux domain to a > particular operation on an selinux type. On these systems, the > openvswitch initialization will be run from the 'openvswitch_t' > selinux domain. Attempts by a process in the 'openvswitch_t' selinux > domain to load a kernel module will be denied. > > One solution would be to simply allow 'openvswitch_t' to load a kernel > directly. This essentially means that 'openvswitch_t' would really be > 'unconfined_t' - since an attacker that can control the code can issue > a kernel load. > > The solution implemented here uses a labeled file in the openvswitch > scripts directory, which is writable only by root. That file will > force a domain transition to the 'openvswitch_load_module_t' domain. > The 'openvswitch_load_module_t' domain will then be granted > permissions to load a kernel module. > > Please vet the new permissions in 2/4 *carefully*. I've tried to keep > it as restricted as possible. If there are any useful selinux > interfaces that would simplify the permission grants needed for the > new domain, I'm happy to spin a v2. > > Aaron Conole (4): > ovs-kmod-ctl: introduce a kernel module load script > selinux: create a transition type for module loading > selinux: introduce domain transitioned kmod helper > rhel: selinux-policy to invoke proper label macros > > debian/openvswitch-switch.install | 1 + > debian/openvswitch-switch.manpages | 1 + > rhel/openvswitch-fedora.spec.in | 12 +- > rhel/openvswitch.spec.in | 2 + > selinux/.gitignore | 4 + > selinux/automake.mk | 3 +- > selinux/openvswitch-custom.fc.in | 1 + > selinux/openvswitch-custom.te.in | 79 ++++++++++++- > utilities/.gitignore | 1 + > utilities/automake.mk | 5 + > utilities/ovs-ctl.in | 32 +----- > utilities/ovs-kmod-ctl.8 | 103 +++++++++++++++++ > utilities/ovs-kmod-ctl.in | 228 > +++++++++++++++++++++++++++++++++++++ > utilities/ovs-lib.in | 12 +- 14 files changed, 439 > insertions(+), 45 deletions(-) create mode 100644 > selinux/openvswitch-custom.fc.in create mode 100644 > utilities/ovs-kmod-ctl.8 create mode 100644 utilities/ovs-kmod-ctl.in > Series Acked-By: Timothy Redaelli <tredae...@redhat.com> _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev