[ovs.git] / INSTALL.SELinux.md

Running Open vSwitch under SELinux
==================================

Security-Enhanced Linux (SELinux) is a Linux kernel security
module that limits "the malicious things" that certain processes,
including OVS, can do to the system in case they get compromised.
In our case SELinux basically serves as the "second line of defense"
that limits the things that OVS processes are allowed to do.  The
"first line of defense" is proper input validation that eliminates
code paths that could be used by attacker to do any sort of
"escape attacks" (e.g. file name escape, shell escape, command
line argument escape, buffer escape).  Since developers don't
always implement proper input validation, then SELinux Access
Control's goal is to confine damage of such attacks, if they
turned out to be possible.

Besides Type Enforcement there are other SELinux
features, but they are out of scope for this document.

Currently there are two SELinux policies for Open vSwitch:
1. the one that ships with your Linux distribution (i.e.
   selinux-policy-targeted package); And
2. the one that ships with OVS (i.e. openvswitch-selinux-policy
   package).


Limitations
-----------

If Open vSwitch is directly started from command line, then it
will run under "unconfined_t" SELinux domain that basically lets
daemon to do whatever it likes.  This is very important for developers
to understand, because they might introduced code in OVS that invokes
new system calls that SELinux policy did not anticipate.  This means
that their feature may have worked out just fine for them.  However,
if someone else would try to run the same code when Open vSwitch is
started through systemctl, then Open vSwitch would get Permission Denied
errors.

Currently the only distributions that enforce SELinux on OVS by
default are RHEL, CentOS and Fedora.  While Ubuntu and Debian also
have some SELinux support, they run Open vSwitch under the unrestricted
"unconfined" domain.  Also, it seems that Ubuntu is leaning towards
Apparmor that works slightly differently than SELinux.

SELinux and Open vSwitch are moving targets.  What this means
is that, if you solely rely on your Linux distribution's SELinux policy,
then this policy might not have correctly anticipated that a newer
Open vSwitch version needs extra white list rules.  However, if you
solely rely on SELinux policy that ships with Open vSwitch, then
Open vSwitch developers might not have correctly anticipated the
feature set that your SELinux implementation supports.


Installation
------------

Refer to [INSTALL.Fedora.md] for instructions on how to build all
Open vSwitch rpm packages.

Once the package is built, install it on your Linux distribution with:

   # yum install openvswitch-selinux-policy-2.4.1-1.el7.centos.noarch.rpm

And, then restart Open vSwitch:

   # systemctl restart openvswitch


Troubleshooting
---------------

When SELinux was implemented some of the standard system utilities
acquired "-Z" flag (e.g. "ps -Z", "ls -Z").  For example, to find out
under which SELinux security domain process runs, use:

   # ps -AZ | grep ovs-vswitchd
   system_u:system_r:openvswitch_t:s0 854 ?    ovs-vswitchd

To find out the SELinux label of file or directory, use:

   # ls -Z /etc/openvswitch/conf.db
   system_u:object_r:openvswitch_rw_t:s0 /etc/openvswitch/conf.db


If, for example, SELinux policy for Open vSwitch is too strict,
then you might see in Open vSwitch log files "Permission Denied"
errors:

    # cat /var/log/openvswitch/ovs-vswitchd.log
    vlog|INFO|opened log file /var/log/openvswitch/ovs-vswitchd.log
    ovs_numa|INFO|Discovered 2 CPU cores on NUMA node 0
    ovs_numa|INFO|Discovered 1 NUMA nodes and 2 CPU cores
    reconnect|INFO|unix:/var/run/openvswitch/db.sock: connecting...
    reconnect|INFO|unix:/var/run/openvswitch/db.sock: connected
    netlink_socket|ERR|fcntl: Permission denied
    dpif_netlink|ERR|Generic Netlink family 'ovs_datapath' does not exist.
                     The Open vSwitch kernel module is probably not loaded.
    dpif|WARN|failed to enumerate system datapaths: Permission denied
    dpif|WARN|failed to create datapath ovs-system: Permission denied


However, not all "Permission denied" errors are caused by SELinux.  So,
before blaming too strict SELinux policy, make sure that indeed SELinux
was the one that denied OVS access to certain resources, for example, run:

   # grep "openvswitch_t" /var/log/audit/audit.log | tail
   type=AVC msg=audit(1453235431.640:114671): avc:  denied  { getopt } for  pid=4583 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=0


If SELinux denied OVS access to certain resources, then make sure that you
have installed our SELinux policy package that "loosens" up distribution's
SELinux policy:

   # rpm -qa | grep openvswitch-selinux
   openvswitch-selinux-policy-2.4.1-1.el7.centos.noarch

And, then verify that this module was indeed loaded:

   # semodule -l | grep openvswitch
   openvswitch-custom    1.0
   openvswitch          1.1.1

If you still see Permission denied errors, then take a look
into selinux/openvswitch.te file in the OVS source tree and
try to add white list rules.  This is really simple, just run
SELinux audit2allow tool:

   # grep "openvswitch_t" /var/log/audit/audit.log | audit2allow -M ovslocal

See "Contributing SELinux policy patches" section, if you think
that other Open vSwitch users would benefit from your SELinux policy
changes.


Contributing SELinux policy patches
-----------------------------------

Here are few things to consider before proposing SELinux policy
patches to Open vSwitch developer mailing list:

1. The SELinux policy that resides in Open vSwitch source tree
   amends SELinux policy that ships with your distributions.

   Implications of this are that it is assumed that the distribution's
   Open vSwitch SELinux module must be already loaded to satisfy
   dependencies.

2. The SELinux policy that resides in Open vSwitch source tree
   must work on all currently relevant Linux distributions.

   Implications of this are that you should use only those SELinux
   policy features that are supported by the lowest SELinux version
   out there.  Typically this means that you should test your SELinux
   policy changes on the oldest RHEL or CentOS version that this
   OVS version supports.  Check INSTALL.Fedora.md file to find out
   this.

3. The SELinux policy is enforced only when state transition to
   openvswitch_t domain happens.

   Implications of this are that perhaps instead of loosening SELinux
   policy you can do certain things at the time rpm package is installed.


Reporting Bugs
--------------

Please report problems to bugs@openvswitch.org.

[INSTALL.md]:INSTALL.md
Commit	Line	Data
9b897c91 AA	1	Running Open vSwitch under SELinux
	2	==================================
	3
	4	Security-Enhanced Linux (SELinux) is a Linux kernel security
	5	module that limits "the malicious things" that certain processes,
	6	including OVS, can do to the system in case they get compromised.
	7	In our case SELinux basically serves as the "second line of defense"
	8	that limits the things that OVS processes are allowed to do. The
	9	"first line of defense" is proper input validation that eliminates
	10	code paths that could be used by attacker to do any sort of
	11	"escape attacks" (e.g. file name escape, shell escape, command
	12	line argument escape, buffer escape). Since developers don't
	13	always implement proper input validation, then SELinux Access
	14	Control's goal is to confine damage of such attacks, if they
	15	turned out to be possible.
	16
	17	Besides Type Enforcement there are other SELinux
	18	features, but they are out of scope for this document.
	19
	20	Currently there are two SELinux policies for Open vSwitch:
	21	1. the one that ships with your Linux distribution (i.e.
	22	selinux-policy-targeted package); And
	23	2. the one that ships with OVS (i.e. openvswitch-selinux-policy
	24	package).
	25
	26
	27	Limitations
	28	-----------
	29
	30	If Open vSwitch is directly started from command line, then it
	31	will run under "unconfined_t" SELinux domain that basically lets
	32	daemon to do whatever it likes. This is very important for developers
	33	to understand, because they might introduced code in OVS that invokes
	34	new system calls that SELinux policy did not anticipate. This means
	35	that their feature may have worked out just fine for them. However,
	36	if someone else would try to run the same code when Open vSwitch is
	37	started through systemctl, then Open vSwitch would get Permission Denied
	38	errors.
	39
	40	Currently the only distributions that enforce SELinux on OVS by
	41	default are RHEL, CentOS and Fedora. While Ubuntu and Debian also
	42	have some SELinux support, they run Open vSwitch under the unrestricted
	43	"unconfined" domain. Also, it seems that Ubuntu is leaning towards
	44	Apparmor that works slightly differently than SELinux.
	45
	46	SELinux and Open vSwitch are moving targets. What this means
	47	is that, if you solely rely on your Linux distribution's SELinux policy,
	48	then this policy might not have correctly anticipated that a newer
	49	Open vSwitch version needs extra white list rules. However, if you
	50	solely rely on SELinux policy that ships with Open vSwitch, then
	51	Open vSwitch developers might not have correctly anticipated the
	52	feature set that your SELinux implementation supports.
	53
	54
	55	Installation
	56	------------
	57
	58	Refer to [INSTALL.Fedora.md] for instructions on how to build all
	59	Open vSwitch rpm packages.
	60
	61	Once the package is built, install it on your Linux distribution with:
	62
	63	# yum install openvswitch-selinux-policy-2.4.1-1.el7.centos.noarch.rpm
	64
65	And, then restart Open vSwitch:
66
67	# systemctl restart openvswitch
68
69
70	Troubleshooting
71	---------------
72
73	When SELinux was implemented some of the standard system utilities
74	acquired "-Z" flag (e.g. "ps -Z", "ls -Z"). For example, to find out
75	under which SELinux security domain process runs, use:
76
77	# ps -AZ \| grep ovs-vswitchd
78	system_u:system_r:openvswitch_t:s0 854 ? ovs-vswitchd
79
80	To find out the SELinux label of file or directory, use:
81
82	# ls -Z /etc/openvswitch/conf.db
83	system_u:object_r:openvswitch_rw_t:s0 /etc/openvswitch/conf.db
84
85
86	If, for example, SELinux policy for Open vSwitch is too strict,
87	then you might see in Open vSwitch log files "Permission Denied"
88	errors:
89
90	# cat /var/log/openvswitch/ovs-vswitchd.log
91	vlog\|INFO\|opened log file /var/log/openvswitch/ovs-vswitchd.log
92	ovs_numa\|INFO\|Discovered 2 CPU cores on NUMA node 0
93	ovs_numa\|INFO\|Discovered 1 NUMA nodes and 2 CPU cores
94	reconnect\|INFO\|unix:/var/run/openvswitch/db.sock: connecting...
95	reconnect\|INFO\|unix:/var/run/openvswitch/db.sock: connected
96	netlink_socket\|ERR\|fcntl: Permission denied
97	dpif_netlink\|ERR\|Generic Netlink family 'ovs_datapath' does not exist.
98	The Open vSwitch kernel module is probably not loaded.
99	dpif\|WARN\|failed to enumerate system datapaths: Permission denied
100	dpif\|WARN\|failed to create datapath ovs-system: Permission denied
101
102
103
104	However, not all "Permission denied" errors are caused by SELinux. So,
105	before blaming too strict SELinux policy, make sure that indeed SELinux
106	was the one that denied OVS access to certain resources, for example, run:
107
108	# grep "openvswitch_t" /var/log/audit/audit.log \| tail
109	type=AVC msg=audit(1453235431.640:114671): avc: denied { getopt } for pid=4583 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=0
110
111
112	If SELinux denied OVS access to certain resources, then make sure that you
113	have installed our SELinux policy package that "loosens" up distribution's
114	SELinux policy:
115
116	# rpm -qa \| grep openvswitch-selinux
117	openvswitch-selinux-policy-2.4.1-1.el7.centos.noarch
118
119	And, then verify that this module was indeed loaded:
120
121	# semodule -l \| grep openvswitch
122	openvswitch-custom 1.0
123	openvswitch 1.1.1
124
125	If you still see Permission denied errors, then take a look
126	into selinux/openvswitch.te file in the OVS source tree and
127	try to add white list rules. This is really simple, just run
128	SELinux audit2allow tool:
129
130	# grep "openvswitch_t" /var/log/audit/audit.log \| audit2allow -M ovslocal
131
132	See "Contributing SELinux policy patches" section, if you think
133	that other Open vSwitch users would benefit from your SELinux policy
134	changes.
135
136
137	Contributing SELinux policy patches
138	-----------------------------------
139
140	Here are few things to consider before proposing SELinux policy
141	patches to Open vSwitch developer mailing list:
142
143	1. The SELinux policy that resides in Open vSwitch source tree
144	amends SELinux policy that ships with your distributions.
145
146	Implications of this are that it is assumed that the distribution's
147	Open vSwitch SELinux module must be already loaded to satisfy
148	dependencies.
149
150	2. The SELinux policy that resides in Open vSwitch source tree
151	must work on all currently relevant Linux distributions.
152
153	Implications of this are that you should use only those SELinux
154	policy features that are supported by the lowest SELinux version
155	out there. Typically this means that you should test your SELinux
156	policy changes on the oldest RHEL or CentOS version that this
157	OVS version supports. Check INSTALL.Fedora.md file to find out
158	this.
159
160	3. The SELinux policy is enforced only when state transition to
161	openvswitch_t domain happens.
162
163	Implications of this are that perhaps instead of loosening SELinux
164	policy you can do certain things at the time rpm package is installed.
165
166
167
168	Reporting Bugs
169	--------------
170
171	Please report problems to bugs@openvswitch.org.
172
173	[INSTALL.md]:INSTALL.md