[ovs.git] / Documentation / howto / selinux.rst

..
      Licensed under the Apache License, Version 2.0 (the "License"); you may
      not use this file except in compliance with the License. You may obtain
      a copy of the License at

          http://www.apache.org/licenses/LICENSE-2.0

      Unless required by applicable law or agreed to in writing, software
      distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
      WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
      License for the specific language governing permissions and limitations
      under the License.

      Convention for heading levels in Open vSwitch documentation:

      =======  Heading 0 (reserved for the title in a document)
      -------  Heading 1
      ~~~~~~~  Heading 2
      +++++++  Heading 3
      '''''''  Heading 4

      Avoid deeper levels because they do not render well.

=========================
Open vSwitch with SELinux
=========================

Security-Enhanced Linux (SELinux) is a Linux kernel security module that limits
"the malicious things" that certain processes, including OVS, can do to the
system in case they get compromised.  In our case SELinux basically serves as
the "second line of defense" that limits the things that OVS processes are
allowed to do.  The "first line of defense" is proper input validation that
eliminates code paths that could be used by attacker to do any sort of "escape
attacks", such as file name escape, shell escape, command line argument escape,
buffer escape. Since developers don't always implement proper input validation,
then SELinux Access Control's goal is to confine damage of such attacks, if
they turned out to be possible.

Besides Type Enforcement there are other SELinux features, but they are out of
scope for this document.

Currently there are two SELinux policies for Open vSwitch:

- the one that ships with your Linux distribution (i.e.
  selinux-policy-targeted package)

- the one that ships with OVS (i.e. openvswitch-selinux-policy package)

Limitations
-----------

If Open vSwitch is directly started from command line, then it will run under
``unconfined_t`` SELinux domain that basically lets daemon to do whatever it
likes.  This is very important for developers to understand, because they might
introduced code in OVS that invokes new system calls that SELinux policy did
not anticipate.  This means that their feature may have worked out just fine
for them.  However, if someone else would try to run the same code when Open
vSwitch is started through systemctl, then Open vSwitch would get Permission
Denied errors.

Currently the only distributions that enforce SELinux on OVS by default are
RHEL, CentOS and Fedora.  While Ubuntu and Debian also have some SELinux
support, they run Open vSwitch under the unrestricted ``unconfined`` domain.
Also, it seems that Ubuntu is leaning towards Apparmor that works slightly
differently than SELinux.

SELinux and Open vSwitch are moving targets.  What this means is that, if you
solely rely on your Linux distribution's SELinux policy, then this policy might
not have correctly anticipated that a newer Open vSwitch version needs extra
white list rules.  However, if you solely rely on SELinux policy that ships
with Open vSwitch, then Open vSwitch developers might not have correctly
anticipated the feature set that your SELinux implementation supports.

Installation
------------

Refer to :doc:`/intro/install/fedora` for instructions on how to build all Open
vSwitch rpm packages.

Once the package is built, install it on your Linux distribution::

    $ dnf install openvswitch-selinux-policy-2.4.1-1.el7.centos.noarch.rpm

Restart Open vSwitch::

    $ systemctl restart openvswitch

Troubleshooting
---------------

When SELinux was implemented some of the standard system utilities acquired
``-Z`` flag (e.g. ``ps -Z``, ``ls -Z``).  For example, to find out under which
SELinux security domain process runs, use::

    $ ps -AZ | grep ovs-vswitchd
    system_u:system_r:openvswitch_t:s0 854 ?    ovs-vswitchd

To find out the SELinux label of file or directory, use::

    $ ls -Z /etc/openvswitch/conf.db
    system_u:object_r:openvswitch_rw_t:s0 /etc/openvswitch/conf.db

If, for example, SELinux policy for Open vSwitch is too strict, then you might
see in Open vSwitch log files "Permission Denied" errors::

    $ cat /var/log/openvswitch/ovs-vswitchd.log
    vlog|INFO|opened log file /var/log/openvswitch/ovs-vswitchd.log
    ovs_numa|INFO|Discovered 2 CPU cores on NUMA node 0
    ovs_numa|INFO|Discovered 1 NUMA nodes and 2 CPU cores
    reconnect|INFO|unix:/var/run/openvswitch/db.sock: connecting...
    reconnect|INFO|unix:/var/run/openvswitch/db.sock: connected
    netlink_socket|ERR|fcntl: Permission denied
    dpif_netlink|ERR|Generic Netlink family 'ovs_datapath' does not exist.
                     The Open vSwitch kernel module is probably not loaded.
    dpif|WARN|failed to enumerate system datapaths: Permission denied
    dpif|WARN|failed to create datapath ovs-system: Permission denied

However, not all "Permission denied" errors are caused by SELinux.  So, before
blaming too strict SELinux policy, make sure that indeed SELinux was the one
that denied OVS access to certain resources, for example, run:

    $ grep "openvswitch_t" /var/log/audit/audit.log | tail
    type=AVC msg=audit(1453235431.640:114671): avc:  denied  { getopt } for  pid=4583 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=0

If SELinux denied OVS access to certain resources, then make sure that you have
installed our SELinux policy package that "loosens" up distribution's SELinux
policy::

    $ rpm -qa | grep openvswitch-selinux
    openvswitch-selinux-policy-2.4.1-1.el7.centos.noarch

Then verify that this module was indeed loaded::

    # semodule -l | grep openvswitch
    openvswitch-custom    1.0
    openvswitch          1.1.1

If you still see Permission denied errors, then take a look into
``selinux/openvswitch.te`` file in the OVS source tree and try to add white
list rules.  This is really simple, just run SELinux audit2allow tool::

    $ grep "openvswitch_t" /var/log/audit/audit.log | audit2allow -M ovslocal

Contributing SELinux policy patches
-----------------------------------

Here are few things to consider before proposing SELinux policy patches to Open
vSwitch developer mailing list:

1. The SELinux policy that resides in Open vSwitch source tree amends SELinux
   policy that ships with your distributions.

   Implications of this are that it is assumed that the distribution's Open
   vSwitch SELinux module must be already loaded to satisfy dependencies.

2. The SELinux policy that resides in Open vSwitch source tree must work on all
   currently relevant Linux distributions.

   Implications of this are that you should use only those SELinux policy
   features that are supported by the lowest SELinux version out there.
   Typically this means that you should test your SELinux policy changes on the
   oldest RHEL or CentOS version that this OVS version supports. Refer to
   :doc:`/intro/install/fedora` to find out this.

3. The SELinux policy is enforced only when state transition to
   ``openvswitch_t`` domain happens.

   Implications of this are that perhaps instead of loosening SELinux policy
   you can do certain things at the time rpm package is installed.

Reporting Bugs
--------------

Report problems to bugs@openvswitch.org.
Commit	Line	Data
24874488 SF	1	..
	2	Licensed under the Apache License, Version 2.0 (the "License"); you may
	3	not use this file except in compliance with the License. You may obtain
	4	a copy of the License at
	5
	6	http://www.apache.org/licenses/LICENSE-2.0
	7
	8	Unless required by applicable law or agreed to in writing, software
	9	distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
	10	WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
	11	License for the specific language governing permissions and limitations
	12	under the License.
	13
	14	Convention for heading levels in Open vSwitch documentation:
	15
	16	======= Heading 0 (reserved for the title in a document)
	17	------- Heading 1
	18	~~~~~~~ Heading 2
	19	+++++++ Heading 3
	20	''''''' Heading 4
	21
	22	Avoid deeper levels because they do not render well.
	23
	24	=========================
	25	Open vSwitch with SELinux
	26	=========================
	27
	28	Security-Enhanced Linux (SELinux) is a Linux kernel security module that limits
	29	"the malicious things" that certain processes, including OVS, can do to the
	30	system in case they get compromised. In our case SELinux basically serves as
	31	the "second line of defense" that limits the things that OVS processes are
	32	allowed to do. The "first line of defense" is proper input validation that
	33	eliminates code paths that could be used by attacker to do any sort of "escape
	34	attacks", such as file name escape, shell escape, command line argument escape,
	35	buffer escape. Since developers don't always implement proper input validation,
	36	then SELinux Access Control's goal is to confine damage of such attacks, if
	37	they turned out to be possible.
	38
	39	Besides Type Enforcement there are other SELinux features, but they are out of
	40	scope for this document.
	41
	42	Currently there are two SELinux policies for Open vSwitch:
	43
	44	- the one that ships with your Linux distribution (i.e.
	45	selinux-policy-targeted package)
	46
	47	- the one that ships with OVS (i.e. openvswitch-selinux-policy package)
	48
	49	Limitations
	50	-----------
	51
	52	If Open vSwitch is directly started from command line, then it will run under
	53	``unconfined_t`` SELinux domain that basically lets daemon to do whatever it
	54	likes. This is very important for developers to understand, because they might
	55	introduced code in OVS that invokes new system calls that SELinux policy did
	56	not anticipate. This means that their feature may have worked out just fine
	57	for them. However, if someone else would try to run the same code when Open
	58	vSwitch is started through systemctl, then Open vSwitch would get Permission
	59	Denied errors.
	60
	61	Currently the only distributions that enforce SELinux on OVS by default are
	62	RHEL, CentOS and Fedora. While Ubuntu and Debian also have some SELinux
	63	support, they run Open vSwitch under the unrestricted ``unconfined`` domain.
	64	Also, it seems that Ubuntu is leaning towards Apparmor that works slightly
65	differently than SELinux.
66
67	SELinux and Open vSwitch are moving targets. What this means is that, if you
68	solely rely on your Linux distribution's SELinux policy, then this policy might
69	not have correctly anticipated that a newer Open vSwitch version needs extra
70	white list rules. However, if you solely rely on SELinux policy that ships
71	with Open vSwitch, then Open vSwitch developers might not have correctly
72	anticipated the feature set that your SELinux implementation supports.
73
74	Installation
75	------------
76
795752a3 SF	77	Refer to :doc:`/intro/install/fedora` for instructions on how to build all Open
795752a3 SF	78	vSwitch rpm packages.
24874488 SF	79
	80	Once the package is built, install it on your Linux distribution::
	81
	82	$ dnf install openvswitch-selinux-policy-2.4.1-1.el7.centos.noarch.rpm
	83
	84	Restart Open vSwitch::
	85
	86	$ systemctl restart openvswitch
	87
	88	Troubleshooting
	89	---------------
	90
	91	When SELinux was implemented some of the standard system utilities acquired
	92	``-Z`` flag (e.g. ``ps -Z``, ``ls -Z``). For example, to find out under which
	93	SELinux security domain process runs, use::
	94
	95	$ ps -AZ \| grep ovs-vswitchd
	96	system_u:system_r:openvswitch_t:s0 854 ? ovs-vswitchd
	97
	98	To find out the SELinux label of file or directory, use::
	99
	100	$ ls -Z /etc/openvswitch/conf.db
	101	system_u:object_r:openvswitch_rw_t:s0 /etc/openvswitch/conf.db
	102
	103	If, for example, SELinux policy for Open vSwitch is too strict, then you might
	104	see in Open vSwitch log files "Permission Denied" errors::
	105
	106	$ cat /var/log/openvswitch/ovs-vswitchd.log
	107	vlog\|INFO\|opened log file /var/log/openvswitch/ovs-vswitchd.log
	108	ovs_numa\|INFO\|Discovered 2 CPU cores on NUMA node 0
	109	ovs_numa\|INFO\|Discovered 1 NUMA nodes and 2 CPU cores
	110	reconnect\|INFO\|unix:/var/run/openvswitch/db.sock: connecting...
	111	reconnect\|INFO\|unix:/var/run/openvswitch/db.sock: connected
	112	netlink_socket\|ERR\|fcntl: Permission denied
	113	dpif_netlink\|ERR\|Generic Netlink family 'ovs_datapath' does not exist.
	114	The Open vSwitch kernel module is probably not loaded.
	115	dpif\|WARN\|failed to enumerate system datapaths: Permission denied
	116	dpif\|WARN\|failed to create datapath ovs-system: Permission denied
	117
	118	However, not all "Permission denied" errors are caused by SELinux. So, before
	119	blaming too strict SELinux policy, make sure that indeed SELinux was the one
	120	that denied OVS access to certain resources, for example, run:
	121
	122	$ grep "openvswitch_t" /var/log/audit/audit.log \| tail
	123	type=AVC msg=audit(1453235431.640:114671): avc: denied { getopt } for pid=4583 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=0
	124
	125	If SELinux denied OVS access to certain resources, then make sure that you have
	126	installed our SELinux policy package that "loosens" up distribution's SELinux
	127	policy::
	128
	129	$ rpm -qa \| grep openvswitch-selinux
	130	openvswitch-selinux-policy-2.4.1-1.el7.centos.noarch
	131
	132	Then verify that this module was indeed loaded::
	133
	134	# semodule -l \| grep openvswitch
	135	openvswitch-custom 1.0
	136	openvswitch 1.1.1
	137
	138	If you still see Permission denied errors, then take a look into
	139	``selinux/openvswitch.te`` file in the OVS source tree and try to add white
	140	list rules. This is really simple, just run SELinux audit2allow tool::
	141
	142	$ grep "openvswitch_t" /var/log/audit/audit.log \| audit2allow -M ovslocal
143
144	Contributing SELinux policy patches
145	-----------------------------------
146
147	Here are few things to consider before proposing SELinux policy patches to Open
148	vSwitch developer mailing list:
149
150	1. The SELinux policy that resides in Open vSwitch source tree amends SELinux
151	policy that ships with your distributions.
152
153	Implications of this are that it is assumed that the distribution's Open
154	vSwitch SELinux module must be already loaded to satisfy dependencies.
155
156	2. The SELinux policy that resides in Open vSwitch source tree must work on all
157	currently relevant Linux distributions.
158
159	Implications of this are that you should use only those SELinux policy
160	features that are supported by the lowest SELinux version out there.
161	Typically this means that you should test your SELinux policy changes on the
795752a3 SF	162	oldest RHEL or CentOS version that this OVS version supports. Refer to
795752a3 SF	163	:doc:`/intro/install/fedora` to find out this.
24874488 SF	164
	165	3. The SELinux policy is enforced only when state transition to
	166	``openvswitch_t`` domain happens.
	167
	168	Implications of this are that perhaps instead of loosening SELinux policy
	169	you can do certain things at the time rpm package is installed.
	170
	171	Reporting Bugs
	172	--------------
	173
	174	Report problems to bugs@openvswitch.org.