Re: [ovs-dev] [PATCH v5 3/6] debian and rhel: Create IPsec package.
Hi Aaron, Thanks for the feedback! On Fri, Aug 10, 2018 at 12:03 PM, Aaron Conole wrote: > > Ben Pfaff writes: > > > On Thu, Aug 09, 2018 at 06:31:31PM -0400, Aaron Conole wrote: > >> Ben Pfaff writes: > >> > >> > On Thu, Aug 09, 2018 at 12:40:39PM -0700, Ansis Atteka wrote: > >> >> On Tue, 7 Aug 2018 at 09:43, Qiuyu Xiao > >> >> wrote: > >> >> > > >> >> > Added rules and files to create debian and rpm ovs-ipsec packages. > >> >> > > >> >> > Signed-off-by: Qiuyu Xiao > >> >> > Signed-off-by: Ansis Atteka > >> >> > Co-authored-by: Ansis Atteka > >> >> > >> >> Did you test this patch on Fedora with SElinux enabled? > >> >> ovs-monitor-ipsec daemon fails to start. You need to create SElinux > >> >> policy too: > >> > > > Looking at the documentation and playing around here are my thoughts: > > 1. We probably can squelch the .local and ldconfig AVCs that pop out. > These seem to be related more to the python environment of the ipsec > monitor. > > dontaudit openvswitch_t gconf_home_t:dir { search }; > dontaudit openvswitch_t ldconfig_exec_t:file { execute }; > > I don't think there's any harm in them, so the above would simply keep > the alert log quiet. > > 2. The actual ipsec side seems a bit more complicated. > > Since the openvswitch-ipsec daemon writes configurations to /etc, it > would be best to build a transition domain that has the ability just to > modify those files and start the ipsec daemon. I'm not sure it makes > sense to allow openvswitch_t domain to write to all of /etc. We can > certainly grant that for now and make the transition domain something to > do in the future. I'll write that policy up and send it out (but it's a > bit bigger - even the non-domain transition one - just because of the > extra headache to allow /etc access). The openvswitch-ipsec directly changes `/etc/ipsec.conf` and `/etc/ipsec.secrects`, and uses `certutil` command to access NSS db files in `/etc/ipsec.d/` directory. Can we only grant SELinux permissions to those files? > > On the other hand, it might be possible to use an existing ipsec service > and use the ipsec dbus interface. Can you take a look to see if we > could integrate that by default and fall back to the manual monitoring > mode. That would be my preferred solution (but I don't know if it has > all of the support needed). The selinux policy for that is much simpler > as well (just a few macros). LibreSwan wiki says that the dbus API is still under development. Currently, openvswitch-ipsec daemon use `ipsec` command to communicate with LibreSwan IPsec service. -Qiuyu ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH v5 3/6] debian and rhel: Create IPsec package.
Ben Pfaff writes: > On Thu, Aug 09, 2018 at 06:31:31PM -0400, Aaron Conole wrote: >> Ben Pfaff writes: >> >> > On Thu, Aug 09, 2018 at 12:40:39PM -0700, Ansis Atteka wrote: >> >> On Tue, 7 Aug 2018 at 09:43, Qiuyu Xiao wrote: >> >> > >> >> > Added rules and files to create debian and rpm ovs-ipsec packages. >> >> > >> >> > Signed-off-by: Qiuyu Xiao >> >> > Signed-off-by: Ansis Atteka >> >> > Co-authored-by: Ansis Atteka >> >> >> >> Did you test this patch on Fedora with SElinux enabled? >> >> ovs-monitor-ipsec daemon fails to start. You need to create SElinux >> >> policy too: >> > Looking at the documentation and playing around here are my thoughts: 1. We probably can squelch the .local and ldconfig AVCs that pop out. These seem to be related more to the python environment of the ipsec monitor. dontaudit openvswitch_t gconf_home_t:dir { search }; dontaudit openvswitch_t ldconfig_exec_t:file { execute }; I don't think there's any harm in them, so the above would simply keep the alert log quiet. 2. The actual ipsec side seems a bit more complicated. Since the openvswitch-ipsec daemon writes configurations to /etc, it would be best to build a transition domain that has the ability just to modify those files and start the ipsec daemon. I'm not sure it makes sense to allow openvswitch_t domain to write to all of /etc. We can certainly grant that for now and make the transition domain something to do in the future. I'll write that policy up and send it out (but it's a bit bigger - even the non-domain transition one - just because of the extra headache to allow /etc access). On the other hand, it might be possible to use an existing ipsec service and use the ipsec dbus interface. Can you take a look to see if we could integrate that by default and fall back to the manual monitoring mode. That would be my preferred solution (but I don't know if it has all of the support needed). The selinux policy for that is much simpler as well (just a few macros). ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH v5 3/6] debian and rhel: Create IPsec package.
On Thu, Aug 09, 2018 at 06:31:31PM -0400, Aaron Conole wrote: > Ben Pfaff writes: > > > On Thu, Aug 09, 2018 at 12:40:39PM -0700, Ansis Atteka wrote: > >> On Tue, 7 Aug 2018 at 09:43, Qiuyu Xiao wrote: > >> > > >> > Added rules and files to create debian and rpm ovs-ipsec packages. > >> > > >> > Signed-off-by: Qiuyu Xiao > >> > Signed-off-by: Ansis Atteka > >> > Co-authored-by: Ansis Atteka > >> > >> Did you test this patch on Fedora with SElinux enabled? > >> ovs-monitor-ipsec daemon fails to start. You need to create SElinux > >> policy too: > > > > Is that something you can help with? I doubt that Qiuyu has much > > experience with SELinux (and I don't either). > > I'll throw something together tomorrow, if Ansis isn't able to do so. Thanks! ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH v5 3/6] debian and rhel: Create IPsec package.
Ben Pfaff writes: > On Thu, Aug 09, 2018 at 12:40:39PM -0700, Ansis Atteka wrote: >> On Tue, 7 Aug 2018 at 09:43, Qiuyu Xiao wrote: >> > >> > Added rules and files to create debian and rpm ovs-ipsec packages. >> > >> > Signed-off-by: Qiuyu Xiao >> > Signed-off-by: Ansis Atteka >> > Co-authored-by: Ansis Atteka >> >> Did you test this patch on Fedora with SElinux enabled? >> ovs-monitor-ipsec daemon fails to start. You need to create SElinux >> policy too: > > Is that something you can help with? I doubt that Qiuyu has much > experience with SELinux (and I don't either). I'll throw something together tomorrow, if Ansis isn't able to do so. -Aaron ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH v5 3/6] debian and rhel: Create IPsec package.
On Thu, Aug 09, 2018 at 12:40:39PM -0700, Ansis Atteka wrote: > On Tue, 7 Aug 2018 at 09:43, Qiuyu Xiao wrote: > > > > Added rules and files to create debian and rpm ovs-ipsec packages. > > > > Signed-off-by: Qiuyu Xiao > > Signed-off-by: Ansis Atteka > > Co-authored-by: Ansis Atteka > > Did you test this patch on Fedora with SElinux enabled? > ovs-monitor-ipsec daemon fails to start. You need to create SElinux > policy too: Is that something you can help with? I doubt that Qiuyu has much experience with SELinux (and I don't either). ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH v5 3/6] debian and rhel: Create IPsec package.
On Tue, 7 Aug 2018 at 09:43, Qiuyu Xiao wrote: > > Added rules and files to create debian and rpm ovs-ipsec packages. > > Signed-off-by: Qiuyu Xiao > Signed-off-by: Ansis Atteka > Co-authored-by: Ansis Atteka Did you test this patch on Fedora with SElinux enabled? ovs-monitor-ipsec daemon fails to start. You need to create SElinux policy too: [root@fedoraubuilder vagrant]# systemctl restart openvswitch-ipsec [root@fedoraubuilder vagrant]# ps -Af | grep ipsec root 1799 880 0 19:37 pts/000:00:00 grep --color=auto ipsec [root@fedoraubuilder vagrant]# journalctl -xe| tail -n20 -- Unit openvswitch-ipsec.service has begun starting up. Aug 09 19:37:16 fedoraubuilder.dev audit[1769]: AVC avc: denied { execute } for pid=1769 comm="python" name="ldconfig" dev="vda1" ino=133192 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0 Aug 09 19:37:16 fedoraubuilder.dev audit[1776]: AVC avc: denied { execute } for pid=1776 comm="python" name="ldconfig" dev="vda1" ino=133192 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0 Aug 09 19:37:16 fedoraubuilder.dev audit[1781]: AVC avc: denied { execute } for pid=1781 comm="python" name="ldconfig" dev="vda1" ino=133192 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0 Aug 09 19:37:16 fedoraubuilder.dev audit[1788]: AVC avc: denied { execute } for pid=1788 comm="python" name="ipsec" dev="vda1" ino=149908 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ipsec_mgmt_exec_t:s0 tclass=file permissive=0 Aug 09 19:37:16 fedoraubuilder.dev python[1768]: ovs| 0 | ovs-monitor-ipsec | ERR | [Errno 13] Permission denied Aug 09 19:37:16 fedoraubuilder.dev ovs-ctl[1760]: 2018-08-09T19:37:16Z | 0 | ovs-monitor-ipsec | ERR | [Errno 13] Permission denied Aug 09 19:37:16 fedoraubuilder.dev ovs-ctl[1789]: 2018-08-09T19:37:16Z|1|daemon_unix|WARN|/var/run/openvswitch/ovs-monitor-ipsec.pid: open: No such file or directory Aug 09 19:37:16 fedoraubuilder.dev ovs-appctl[1797]: ovs|1|daemon_unix|WARN|/var/run/openvswitch/ovs-monitor-ipsec.pid: open: No such file or directory Aug 09 19:37:16 fedoraubuilder.dev ovs-ctl[1789]: ovs-appctl: cannot read pidfile "/var/run/openvswitch/ovs-monitor-ipsec.pid" (No such file or directory) Aug 09 19:37:16 fedoraubuilder.dev audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=openvswitch-ipsec comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Aug 09 19:37:16 fedoraubuilder.dev audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=openvswitch-ipsec comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Aug 09 19:37:16 fedoraubuilder.dev systemd[1]: Started OVS IPsec daemon. -- Subject: Unit openvswitch-ipsec.service has finished start-up -- Defined-By: systemd -- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit openvswitch-ipsec.service has finished starting up. -- -- The start-up result is done. > --- > debian/automake.mk| 3 + > debian/control| 21 ++ > debian/openvswitch-ipsec.dirs | 1 + > debian/openvswitch-ipsec.init | 181 ++ > debian/openvswitch-ipsec.install | 1 + > rhel/automake.mk | 1 + > rhel/openvswitch-fedora.spec.in | 19 +- > ...b_systemd_system_openvswitch-ipsec.service | 12 ++ > utilities/ovs-ctl.in | 18 ++ > 9 files changed, 256 insertions(+), 1 deletion(-) > create mode 100644 debian/openvswitch-ipsec.dirs > create mode 100644 debian/openvswitch-ipsec.init > create mode 100644 debian/openvswitch-ipsec.install > create mode 100644 rhel/usr_lib_systemd_system_openvswitch-ipsec.service > > diff --git a/debian/automake.mk b/debian/automake.mk > index 4d8e204bb..8a8d43c9f 100644 > --- a/debian/automake.mk > +++ b/debian/automake.mk > @@ -20,6 +20,9 @@ EXTRA_DIST += \ > debian/openvswitch-datapath-source.copyright \ > debian/openvswitch-datapath-source.dirs \ > debian/openvswitch-datapath-source.install \ > + debian/openvswitch-ipsec.dirs \ > + debian/openvswitch-ipsec.init \ > + debian/openvswitch-ipsec.install \ > debian/openvswitch-pki.dirs \ > debian/openvswitch-pki.postinst \ > debian/openvswitch-pki.postrm \ > diff --git a/debian/control b/debian/control > index 9ae248f27..cde93f20e 100644 > --- a/debian/control > +++ b/debian/control > @@ -322,3 +322,24 @@ Description: Open vSwitch development package > 1000V. > . > This package provides openvswitch headers and libopenvswitch for developers. > + >
[ovs-dev] [PATCH v5 3/6] debian and rhel: Create IPsec package.
Added rules and files to create debian and rpm ovs-ipsec packages. Signed-off-by: Qiuyu Xiao Signed-off-by: Ansis Atteka Co-authored-by: Ansis Atteka --- debian/automake.mk| 3 + debian/control| 21 ++ debian/openvswitch-ipsec.dirs | 1 + debian/openvswitch-ipsec.init | 181 ++ debian/openvswitch-ipsec.install | 1 + rhel/automake.mk | 1 + rhel/openvswitch-fedora.spec.in | 19 +- ...b_systemd_system_openvswitch-ipsec.service | 12 ++ utilities/ovs-ctl.in | 18 ++ 9 files changed, 256 insertions(+), 1 deletion(-) create mode 100644 debian/openvswitch-ipsec.dirs create mode 100644 debian/openvswitch-ipsec.init create mode 100644 debian/openvswitch-ipsec.install create mode 100644 rhel/usr_lib_systemd_system_openvswitch-ipsec.service diff --git a/debian/automake.mk b/debian/automake.mk index 4d8e204bb..8a8d43c9f 100644 --- a/debian/automake.mk +++ b/debian/automake.mk @@ -20,6 +20,9 @@ EXTRA_DIST += \ debian/openvswitch-datapath-source.copyright \ debian/openvswitch-datapath-source.dirs \ debian/openvswitch-datapath-source.install \ + debian/openvswitch-ipsec.dirs \ + debian/openvswitch-ipsec.init \ + debian/openvswitch-ipsec.install \ debian/openvswitch-pki.dirs \ debian/openvswitch-pki.postinst \ debian/openvswitch-pki.postrm \ diff --git a/debian/control b/debian/control index 9ae248f27..cde93f20e 100644 --- a/debian/control +++ b/debian/control @@ -322,3 +322,24 @@ Description: Open vSwitch development package 1000V. . This package provides openvswitch headers and libopenvswitch for developers. + +Package: openvswitch-ipsec +Architecture: linux-any +Depends: iproute2, + openvswitch-common (= ${binary:Version}), + openvswitch-switch (= ${binary:Version}), + python, + python-openvswitch (= ${source:Version}), + strongswan, + ${misc:Depends}, + ${shlibs:Depends} +Description: Open vSwitch IPsec tunneling support + Open vSwitch is a production quality, multilayer, software-based, + Ethernet virtual switch. It is designed to enable massive network + automation through programmatic extension, while still supporting + standard management interfaces and protocols (e.g. NetFlow, IPFIX, + sFlow, SPAN, RSPAN, CLI, LACP, 802.1ag). In addition, it is designed + to support distribution across multiple physical servers similar to + VMware's vNetwork distributed vswitch or Cisco's Nexus 1000V. + . + This package provides IPsec tunneling support for OVS tunnels. diff --git a/debian/openvswitch-ipsec.dirs b/debian/openvswitch-ipsec.dirs new file mode 100644 index 0..fca44aa7b --- /dev/null +++ b/debian/openvswitch-ipsec.dirs @@ -0,0 +1 @@ +usr/share/openvswitch/scripts \ No newline at end of file diff --git a/debian/openvswitch-ipsec.init b/debian/openvswitch-ipsec.init new file mode 100644 index 0..8488beccf --- /dev/null +++ b/debian/openvswitch-ipsec.init @@ -0,0 +1,181 @@ +#!/bin/sh +# +# Copyright (c) 2007, 2009 Javier Fernandez-Sanguino +# +# This is free software; you may redistribute it and/or modify +# it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2, +# or (at your option) any later version. +# +# This is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License with +# the Debian operating system, in /usr/share/common-licenses/GPL; if +# not, write to the Free Software Foundation, Inc., 59 Temple Place, +# Suite 330, Boston, MA 02111-1307 USA +# +### BEGIN INIT INFO +# Provides: openvswitch-ipsec +# Required-Start:$network $local_fs $remote_fs openvswitch-switch +# Required-Stop: $remote_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Open vSwitch GRE-over-IPsec daemon +# Description: The ovs-monitor-ipsec script provides support for +#encrypting GRE tunnels with IPsec. +### END INIT INFO + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin + +DAEMON=/usr/share/openvswitch/scripts/ovs-monitor-ipsec # Daemon's location +NAME=ovs-monitor-ipsec # Introduce the short server's name here +LOGDIR=/var/log/openvswitch # Log directory to use +DATADIR=/usr/share/openvswitch + +PIDFILE=/var/run/openvswitch/$NAME.pid + +test -x $DAEMON || exit 0 + +. /lib/lsb/init-functions + +DODTIME=10 # Time to wait for the server to die, in seconds +# If this value is set too low you might not +# let some servers