Re: [ovs-dev] [PATCH v5 3/6] debian and rhel: Create IPsec package.
Hi Aaron,
Thanks for the feedback!
On Fri, Aug 10, 2018 at 12:03 PM, Aaron Conole wrote:
>
> Ben Pfaff writes:
>
> > On Thu, Aug 09, 2018 at 06:31:31PM -0400, Aaron Conole wrote:
> >> Ben Pfaff writes:
> >>
> >> > On Thu, Aug 09, 2018 at 12:40:39PM -0700, Ansis Atteka wrote:
> >> >> On Tue, 7 Aug 2018 at 09:43, Qiuyu Xiao
> >> >> wrote:
> >> >> >
> >> >> > Added rules and files to create debian and rpm ovs-ipsec packages.
> >> >> >
> >> >> > Signed-off-by: Qiuyu Xiao
> >> >> > Signed-off-by: Ansis Atteka
> >> >> > Co-authored-by: Ansis Atteka
> >> >>
> >> >> Did you test this patch on Fedora with SElinux enabled?
> >> >> ovs-monitor-ipsec daemon fails to start. You need to create SElinux
> >> >> policy too:
> >> >
>
> Looking at the documentation and playing around here are my thoughts:
>
> 1. We probably can squelch the .local and ldconfig AVCs that pop out.
> These seem to be related more to the python environment of the ipsec
> monitor.
>
> dontaudit openvswitch_t gconf_home_t:dir { search };
> dontaudit openvswitch_t ldconfig_exec_t:file { execute };
>
> I don't think there's any harm in them, so the above would simply keep
> the alert log quiet.
>
> 2. The actual ipsec side seems a bit more complicated.
>
> Since the openvswitch-ipsec daemon writes configurations to /etc, it
> would be best to build a transition domain that has the ability just to
> modify those files and start the ipsec daemon. I'm not sure it makes
> sense to allow openvswitch_t domain to write to all of /etc. We can
> certainly grant that for now and make the transition domain something to
> do in the future. I'll write that policy up and send it out (but it's a
> bit bigger - even the non-domain transition one - just because of the
> extra headache to allow /etc access).
The openvswitch-ipsec directly changes `/etc/ipsec.conf` and
`/etc/ipsec.secrects`, and uses `certutil` command to access NSS db
files in `/etc/ipsec.d/` directory. Can we only grant SELinux
permissions to those files?
>
> On the other hand, it might be possible to use an existing ipsec service
> and use the ipsec dbus interface. Can you take a look to see if we
> could integrate that by default and fall back to the manual monitoring
> mode. That would be my preferred solution (but I don't know if it has
> all of the support needed). The selinux policy for that is much simpler
> as well (just a few macros).
LibreSwan wiki says that the dbus API is still under development.
Currently, openvswitch-ipsec daemon use `ipsec` command to communicate
with LibreSwan IPsec service.
-Qiuyu
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH v5 3/6] debian and rhel: Create IPsec package.
Ben Pfaff writes:
> On Thu, Aug 09, 2018 at 06:31:31PM -0400, Aaron Conole wrote:
>> Ben Pfaff writes:
>>
>> > On Thu, Aug 09, 2018 at 12:40:39PM -0700, Ansis Atteka wrote:
>> >> On Tue, 7 Aug 2018 at 09:43, Qiuyu Xiao wrote:
>> >> >
>> >> > Added rules and files to create debian and rpm ovs-ipsec packages.
>> >> >
>> >> > Signed-off-by: Qiuyu Xiao
>> >> > Signed-off-by: Ansis Atteka
>> >> > Co-authored-by: Ansis Atteka
>> >>
>> >> Did you test this patch on Fedora with SElinux enabled?
>> >> ovs-monitor-ipsec daemon fails to start. You need to create SElinux
>> >> policy too:
>> >
Looking at the documentation and playing around here are my thoughts:
1. We probably can squelch the .local and ldconfig AVCs that pop out.
These seem to be related more to the python environment of the ipsec
monitor.
dontaudit openvswitch_t gconf_home_t:dir { search };
dontaudit openvswitch_t ldconfig_exec_t:file { execute };
I don't think there's any harm in them, so the above would simply keep
the alert log quiet.
2. The actual ipsec side seems a bit more complicated.
Since the openvswitch-ipsec daemon writes configurations to /etc, it
would be best to build a transition domain that has the ability just to
modify those files and start the ipsec daemon. I'm not sure it makes
sense to allow openvswitch_t domain to write to all of /etc. We can
certainly grant that for now and make the transition domain something to
do in the future. I'll write that policy up and send it out (but it's a
bit bigger - even the non-domain transition one - just because of the
extra headache to allow /etc access).
On the other hand, it might be possible to use an existing ipsec service
and use the ipsec dbus interface. Can you take a look to see if we
could integrate that by default and fall back to the manual monitoring
mode. That would be my preferred solution (but I don't know if it has
all of the support needed). The selinux policy for that is much simpler
as well (just a few macros).
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH v5 3/6] debian and rhel: Create IPsec package.
On Thu, Aug 09, 2018 at 06:31:31PM -0400, Aaron Conole wrote: > Ben Pfaff writes: > > > On Thu, Aug 09, 2018 at 12:40:39PM -0700, Ansis Atteka wrote: > >> On Tue, 7 Aug 2018 at 09:43, Qiuyu Xiao wrote: > >> > > >> > Added rules and files to create debian and rpm ovs-ipsec packages. > >> > > >> > Signed-off-by: Qiuyu Xiao > >> > Signed-off-by: Ansis Atteka > >> > Co-authored-by: Ansis Atteka > >> > >> Did you test this patch on Fedora with SElinux enabled? > >> ovs-monitor-ipsec daemon fails to start. You need to create SElinux > >> policy too: > > > > Is that something you can help with? I doubt that Qiuyu has much > > experience with SELinux (and I don't either). > > I'll throw something together tomorrow, if Ansis isn't able to do so. Thanks! ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH v5 3/6] debian and rhel: Create IPsec package.
Ben Pfaff writes: > On Thu, Aug 09, 2018 at 12:40:39PM -0700, Ansis Atteka wrote: >> On Tue, 7 Aug 2018 at 09:43, Qiuyu Xiao wrote: >> > >> > Added rules and files to create debian and rpm ovs-ipsec packages. >> > >> > Signed-off-by: Qiuyu Xiao >> > Signed-off-by: Ansis Atteka >> > Co-authored-by: Ansis Atteka >> >> Did you test this patch on Fedora with SElinux enabled? >> ovs-monitor-ipsec daemon fails to start. You need to create SElinux >> policy too: > > Is that something you can help with? I doubt that Qiuyu has much > experience with SELinux (and I don't either). I'll throw something together tomorrow, if Ansis isn't able to do so. -Aaron ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH v5 3/6] debian and rhel: Create IPsec package.
On Thu, Aug 09, 2018 at 12:40:39PM -0700, Ansis Atteka wrote: > On Tue, 7 Aug 2018 at 09:43, Qiuyu Xiao wrote: > > > > Added rules and files to create debian and rpm ovs-ipsec packages. > > > > Signed-off-by: Qiuyu Xiao > > Signed-off-by: Ansis Atteka > > Co-authored-by: Ansis Atteka > > Did you test this patch on Fedora with SElinux enabled? > ovs-monitor-ipsec daemon fails to start. You need to create SElinux > policy too: Is that something you can help with? I doubt that Qiuyu has much experience with SELinux (and I don't either). ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH v5 3/6] debian and rhel: Create IPsec package.
On Tue, 7 Aug 2018 at 09:43, Qiuyu Xiao wrote:
>
> Added rules and files to create debian and rpm ovs-ipsec packages.
>
> Signed-off-by: Qiuyu Xiao
> Signed-off-by: Ansis Atteka
> Co-authored-by: Ansis Atteka
Did you test this patch on Fedora with SElinux enabled?
ovs-monitor-ipsec daemon fails to start. You need to create SElinux
policy too:
[root@fedoraubuilder vagrant]# systemctl restart openvswitch-ipsec
[root@fedoraubuilder vagrant]# ps -Af | grep ipsec
root 1799 880 0 19:37 pts/000:00:00 grep --color=auto ipsec
[root@fedoraubuilder vagrant]# journalctl -xe| tail -n20
-- Unit openvswitch-ipsec.service has begun starting up.
Aug 09 19:37:16 fedoraubuilder.dev audit[1769]: AVC avc: denied {
execute } for pid=1769 comm="python" name="ldconfig" dev="vda1"
ino=133192 scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0
Aug 09 19:37:16 fedoraubuilder.dev audit[1776]: AVC avc: denied {
execute } for pid=1776 comm="python" name="ldconfig" dev="vda1"
ino=133192 scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0
Aug 09 19:37:16 fedoraubuilder.dev audit[1781]: AVC avc: denied {
execute } for pid=1781 comm="python" name="ldconfig" dev="vda1"
ino=133192 scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0
Aug 09 19:37:16 fedoraubuilder.dev audit[1788]: AVC avc: denied {
execute } for pid=1788 comm="python" name="ipsec" dev="vda1"
ino=149908 scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:object_r:ipsec_mgmt_exec_t:s0 tclass=file
permissive=0
Aug 09 19:37:16 fedoraubuilder.dev python[1768]: ovs| 0 |
ovs-monitor-ipsec | ERR | [Errno 13] Permission denied
Aug 09 19:37:16 fedoraubuilder.dev ovs-ctl[1760]: 2018-08-09T19:37:16Z
| 0 | ovs-monitor-ipsec | ERR | [Errno 13] Permission denied
Aug 09 19:37:16 fedoraubuilder.dev ovs-ctl[1789]:
2018-08-09T19:37:16Z|1|daemon_unix|WARN|/var/run/openvswitch/ovs-monitor-ipsec.pid:
open: No such file or directory
Aug 09 19:37:16 fedoraubuilder.dev ovs-appctl[1797]:
ovs|1|daemon_unix|WARN|/var/run/openvswitch/ovs-monitor-ipsec.pid:
open: No such file or directory
Aug 09 19:37:16 fedoraubuilder.dev ovs-ctl[1789]: ovs-appctl: cannot
read pidfile "/var/run/openvswitch/ovs-monitor-ipsec.pid" (No such
file or directory)
Aug 09 19:37:16 fedoraubuilder.dev audit[1]: SERVICE_START pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=openvswitch-ipsec comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
Aug 09 19:37:16 fedoraubuilder.dev audit[1]: SERVICE_STOP pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=openvswitch-ipsec comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
Aug 09 19:37:16 fedoraubuilder.dev systemd[1]: Started OVS IPsec daemon.
-- Subject: Unit openvswitch-ipsec.service has finished start-up
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit openvswitch-ipsec.service has finished starting up.
--
-- The start-up result is done.
> ---
> debian/automake.mk| 3 +
> debian/control| 21 ++
> debian/openvswitch-ipsec.dirs | 1 +
> debian/openvswitch-ipsec.init | 181 ++
> debian/openvswitch-ipsec.install | 1 +
> rhel/automake.mk | 1 +
> rhel/openvswitch-fedora.spec.in | 19 +-
> ...b_systemd_system_openvswitch-ipsec.service | 12 ++
> utilities/ovs-ctl.in | 18 ++
> 9 files changed, 256 insertions(+), 1 deletion(-)
> create mode 100644 debian/openvswitch-ipsec.dirs
> create mode 100644 debian/openvswitch-ipsec.init
> create mode 100644 debian/openvswitch-ipsec.install
> create mode 100644 rhel/usr_lib_systemd_system_openvswitch-ipsec.service
>
> diff --git a/debian/automake.mk b/debian/automake.mk
> index 4d8e204bb..8a8d43c9f 100644
> --- a/debian/automake.mk
> +++ b/debian/automake.mk
> @@ -20,6 +20,9 @@ EXTRA_DIST += \
> debian/openvswitch-datapath-source.copyright \
> debian/openvswitch-datapath-source.dirs \
> debian/openvswitch-datapath-source.install \
> + debian/openvswitch-ipsec.dirs \
> + debian/openvswitch-ipsec.init \
> + debian/openvswitch-ipsec.install \
> debian/openvswitch-pki.dirs \
> debian/openvswitch-pki.postinst \
> debian/openvswitch-pki.postrm \
> diff --git a/debian/control b/debian/control
> index 9ae248f27..cde93f20e 100644
> --- a/debian/control
> +++ b/debian/control
> @@ -322,3 +322,24 @@ Description: Open vSwitch development package
> 1000V.
> .
> This package provides openvswitch headers and libopenvswitch for developers.
> +
>
[ovs-dev] [PATCH v5 3/6] debian and rhel: Create IPsec package.
Added rules and files to create debian and rpm ovs-ipsec packages.
Signed-off-by: Qiuyu Xiao
Signed-off-by: Ansis Atteka
Co-authored-by: Ansis Atteka
---
debian/automake.mk| 3 +
debian/control| 21 ++
debian/openvswitch-ipsec.dirs | 1 +
debian/openvswitch-ipsec.init | 181 ++
debian/openvswitch-ipsec.install | 1 +
rhel/automake.mk | 1 +
rhel/openvswitch-fedora.spec.in | 19 +-
...b_systemd_system_openvswitch-ipsec.service | 12 ++
utilities/ovs-ctl.in | 18 ++
9 files changed, 256 insertions(+), 1 deletion(-)
create mode 100644 debian/openvswitch-ipsec.dirs
create mode 100644 debian/openvswitch-ipsec.init
create mode 100644 debian/openvswitch-ipsec.install
create mode 100644 rhel/usr_lib_systemd_system_openvswitch-ipsec.service
diff --git a/debian/automake.mk b/debian/automake.mk
index 4d8e204bb..8a8d43c9f 100644
--- a/debian/automake.mk
+++ b/debian/automake.mk
@@ -20,6 +20,9 @@ EXTRA_DIST += \
debian/openvswitch-datapath-source.copyright \
debian/openvswitch-datapath-source.dirs \
debian/openvswitch-datapath-source.install \
+ debian/openvswitch-ipsec.dirs \
+ debian/openvswitch-ipsec.init \
+ debian/openvswitch-ipsec.install \
debian/openvswitch-pki.dirs \
debian/openvswitch-pki.postinst \
debian/openvswitch-pki.postrm \
diff --git a/debian/control b/debian/control
index 9ae248f27..cde93f20e 100644
--- a/debian/control
+++ b/debian/control
@@ -322,3 +322,24 @@ Description: Open vSwitch development package
1000V.
.
This package provides openvswitch headers and libopenvswitch for developers.
+
+Package: openvswitch-ipsec
+Architecture: linux-any
+Depends: iproute2,
+ openvswitch-common (= ${binary:Version}),
+ openvswitch-switch (= ${binary:Version}),
+ python,
+ python-openvswitch (= ${source:Version}),
+ strongswan,
+ ${misc:Depends},
+ ${shlibs:Depends}
+Description: Open vSwitch IPsec tunneling support
+ Open vSwitch is a production quality, multilayer, software-based,
+ Ethernet virtual switch. It is designed to enable massive network
+ automation through programmatic extension, while still supporting
+ standard management interfaces and protocols (e.g. NetFlow, IPFIX,
+ sFlow, SPAN, RSPAN, CLI, LACP, 802.1ag). In addition, it is designed
+ to support distribution across multiple physical servers similar to
+ VMware's vNetwork distributed vswitch or Cisco's Nexus 1000V.
+ .
+ This package provides IPsec tunneling support for OVS tunnels.
diff --git a/debian/openvswitch-ipsec.dirs b/debian/openvswitch-ipsec.dirs
new file mode 100644
index 0..fca44aa7b
--- /dev/null
+++ b/debian/openvswitch-ipsec.dirs
@@ -0,0 +1 @@
+usr/share/openvswitch/scripts
\ No newline at end of file
diff --git a/debian/openvswitch-ipsec.init b/debian/openvswitch-ipsec.init
new file mode 100644
index 0..8488beccf
--- /dev/null
+++ b/debian/openvswitch-ipsec.init
@@ -0,0 +1,181 @@
+#!/bin/sh
+#
+# Copyright (c) 2007, 2009 Javier Fernandez-Sanguino
+#
+# This is free software; you may redistribute it and/or modify
+# it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 2,
+# or (at your option) any later version.
+#
+# This is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License with
+# the Debian operating system, in /usr/share/common-licenses/GPL; if
+# not, write to the Free Software Foundation, Inc., 59 Temple Place,
+# Suite 330, Boston, MA 02111-1307 USA
+#
+### BEGIN INIT INFO
+# Provides: openvswitch-ipsec
+# Required-Start:$network $local_fs $remote_fs openvswitch-switch
+# Required-Stop: $remote_fs
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Open vSwitch GRE-over-IPsec daemon
+# Description: The ovs-monitor-ipsec script provides support for
+#encrypting GRE tunnels with IPsec.
+### END INIT INFO
+
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+
+DAEMON=/usr/share/openvswitch/scripts/ovs-monitor-ipsec # Daemon's location
+NAME=ovs-monitor-ipsec # Introduce the short server's name here
+LOGDIR=/var/log/openvswitch # Log directory to use
+DATADIR=/usr/share/openvswitch
+
+PIDFILE=/var/run/openvswitch/$NAME.pid
+
+test -x $DAEMON || exit 0
+
+. /lib/lsb/init-functions
+
+DODTIME=10 # Time to wait for the server to die, in seconds
+# If this value is set too low you might not
+# let some servers
