[VPP-1640] Missing rules in vpp-selinux-policy

[vvalderrv]

Description

Hi,

 

I installed VPP on a centos VM which includes the vpp-selinux-policy package.

Even with that package, I had to create custom SELinux module to authorize access to /dev/vfio/ directory so I can create vmxnet3 interface.

 

I'm also facing a similar situation when I try to create a host-interface and link it with a veth interface. Here is what I see in the audit.logs:

type=AVC msg=audit(1554740751.564:59100): avc: denied { map } for pid=6078 comm="vpp_main" path="socket:[35534]" dev="sockfs" ino=35534 scontext=system_u:system_r:vpp_t:s0 tcontext=system_u:system_r:vpp_t:s0 tclass=packet_socket permissive=0

 

vpp# create host-interface name vpp2

create host-interface: Bad file descriptor (errno 9)

 

Below is the version installed:

vpp# show version verbose cmdline

Version: v19.01.1-release

Compiled by: root

Compile host: 44f6c5ae1118

Compile date: Wed Mar 6 23:25:46 UTC 2019

Compile location: /w/workspace/vpp-merge-1901-centos7

Compiler: GCC 7.3.1 20180303 (Red Hat 7.3.1-5)

Current PID: 6078

Command line arguments:

{{ /usr/bin/vpp}}

{{ unix}}

{{ {}}

{{ nodaemon}}

{{ log}}

{{ /var/log/vpp/vpp.log}}

{{ full-coredump}}

{{ cli-listen}}

{{ /run/vpp/cli.sock}}

{{ gid}}

{{ vpp}}

{{ exec}}

{{ /etc/vpp/vpp.conf}}

{{ }}}

{{ api-trace}}

{{ {}}

{{ on}}

{{ }}}

{{ api-segment}}

{{ {}}

{{ gid}}

{{ vpp}}

{{ }}}

{{ socksvr}}

{{ {}}

{{ default}}

{{ }}}

{{ cpu}}

{{ {}}

{{ }}}

 

Is there some specific settings required ?

Documentation said "if VPP has never been installed on a system, then starting in 18.04, the VPP Custom SELinux Policy will be installed with the other RPMs and all the system components managed by VPP will be labeled properly."

 

Thanks

Assignee

Billy McFall

Reporter

Laurent Aubert

Comments

• JIRAUSER13913 (Thu, 10 Sep 2020 23:11:23 +0000): Similar case to the errors in VPP-1931 on 20.05, but the missing perms differ there.  I note that nlmsg_read does not exist in vpp/extras/selinux/vpp-custom.te (master) yet.
• bganne (Tue, 4 Jun 2019 14:13:13 +0000): Hi Billy,

I am not able to check vmxnet3/vfio issue for now, but the issue with host interfaces is not fixed.

Steps to reproduce:

- start VPP - create veth: sudo ip link add dev vm1 type veth peer name vm2 - create host interface: sudo vppctl create host-interface name vm2

VPP will fail to create the interface with create host-interface: Permission denied (errno 13). If SELinux is disabled (setenforce 0), it works fine.

The associated message in audit.log:

type=AVC msg=audit(1559656867.880:95): avc: denied { nlmsg_read } for pid=4509 comm="vpp" scontext=system_u:system_r:vpp_t:s0 tcontext=system_u:system_r:vpp_t:s0 tclass=netlink_route_socket permissive=0

- **billym (Thu, 30 May 2019 15:26:14 +0000)**: The initial description of the problem was a little vague. Can someone confirm the patch fixes all the problems encountered? - **billym (Thu, 16 May 2019 13:18:10 +0000)**: Initial Patch Pushed: https://gerrit.fd.io/r/19646 - **billym (Tue, 14 May 2019 19:15:32 +0000)**: If there are still SELinux issues, please run the following:

sudo yum -y install setroubleshoot setroubleshoot-server setools-console
sudo service auditd restart
sudo setenforce 0
sudo tail -f /var/log/messages

This will install some additional SELinux modules for debugging, restart the audit to collect those new events, and set SELinux to permissive, which allows testing to complete so full logs can be collected instead of bailing on first error. Look for 'setroubleshoot' logs in the message log.

Example:

May 14 11:28:34 svr-22 setroubleshoot: SELinux is preventing /usr/bin/vpp from read access on the file hostCreate.txt. For complete SELinux messages run: sealert -l 0b88e295-0b1a-4f56-9fd6-251d835b1bca
May 14 11:28:34 svr-22 python: SELinux is preventing /usr/bin/vpp from read access on the file hostCreate.txt.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that vpp should be allowed read access on the hostCreate.txt file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'vpp_main' --raw | audit2allow -M my-vppmain#012# semodule -i my-vppmain.pp#012
May 14 11:28:34 svr-22 setroubleshoot: SELinux is preventing /usr/bin/vpp from read access on the file hostCreate.txt. For complete SELinux messages run: sealert -l 0b88e295-0b1a-4f56-9fd6-251d835b1bca
May 14 11:28:34 svr-22 python: SELinux is preventing /usr/bin/vpp from read access on the file hostCreate.txt.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that vpp should be allowed read access on the hostCreate.txt file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'vpp_main' --raw | audit2allow -M my-vppmain#012# semodule -i my-vppmain.pp#012
May 14 11:28:37 svr-22 setroubleshoot: SELinux is preventing vpp_main from map access on the packet_socket packet_socket. For complete SELinux messages run: sealert -l ab6667d9-3f14-4dbd-96a0-7a655f7b4eb1
May 14 11:28:37 svr-22 python: SELinux is preventing vpp_main from map access on the packet_socket packet_socket.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that vpp_main should be allowed map access on the packet_socket packet_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'vpp_main' --raw | audit2allow -M my-vppmain#012# semodule -i my-vppmain.pp#012
May 14 11:28:51 svr-22 setroubleshoot: SELinux is preventing vpp_main from map access on the packet_socket packet_socket. For complete SELinux messages run: sealert -l ab6667d9-3f14-4dbd-96a0-7a655f7b4eb1
May 14 11:28:51 svr-22 python: SELinux is preventing vpp_main from map access on the packet_socket packet_socket.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that vpp_main should be allowed map access on the packet_socket packet_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'vpp_main' --raw | audit2allow -M my-vppmain#012# semodule -i my-vppmain.pp#012

Then, to determine the cause and how to fix, create a temp directory and run the command suggested in the log:

mkdir 01/; cd 01/
sudo ausearch -c 'vpp_main' --raw | audit2allow -M my-vppmain
ls
my-vpp.pp  my-vpp.te
cat my-vpp.te
module my-vpp 1.0;
require {
type user_home_t;
type vpp_t;
class packet_socket map;
class file { open read };
}
#============= vpp_t ==============
allow vpp_t self:packet_socket map;
allow vpp_t user_home_t:file { open read };

Include this info to help debug. Thanks.

• billym (Tue, 14 May 2019 19:03:10 +0000): I am new to the 'vmxnet3' driver, so if I missed something, let me know and I will retest. Created CentOS 7.6 VM using QEMU and built VPP 19.01 in VM.

Test 1: vmxnet3 - noiommu_mode

---

Brought up a two additional interfaces in VM with type='virtio'. Then ran the following:

 sudo ifconfig eth1 down
 sudo ifconfig eth2 down
 sudo modprobe vfio-pci
 echo Y | sudo tee /sys/module/vfio/parameters/enable_unsafe_noiommu_mode
 sudo ./extras/vpp_config/scripts/dpdk-devbind.py --bind vfio-pci 0a:00.0 0b:00.0
 sudo systemctl start vpp

VPP autodetected GigabitEtherneta/0/0 and GigabitEthernetb/0/0. Collected the selinux logs.

Test 2: vmxnet3

---

Brought up a two additional interfaces in VM with type='vmxnet3'. Then ran the following:

 sudo ifconfig enp10s0 down
 sudo ifconfig enp11s0 down
 sudo modprobe vfio-pci
 sudo ./extras/vpp_config/scripts/dpdk-devbind.py --bind vfio-pci 0a:00.0 0b:00.0
 
 sudo systemctl start vpp

Once VPP was up, ran:

 vppctl create interface vmxnet3 0:b:0.0
 vppctl create interface vmxnet3 0:a:0.0
 vppctl set int state vmxnet3-0/b/0/0 up
 vppctl set int state vmxnet3-0/a/0/0 up
 
 vppctl delete interface vmxnet3 vmxnet3-0/a/0/0
 vppctl delete interface vmxnet3 vmxnet3-0/b/0/0

Collected the selinux logs.

Test 3: Host interface

---

Brought up VM. Ran something similar to: https://wiki.fd.io/view/VPP/Configure_VPP_As_A_Router_Between_Namespaces

Collected the selinux logs.

Patch:

---

With the following patch, I was able to run the above tests cleanly:

$ git diff extras/selinux/vpp-custom.te
diff --git a/extras/selinux/vpp-custom.te b/extras/selinux/vpp-custom.te
index 2cce747..1b6e9c2 100644
--- a/extras/selinux/vpp-custom.te
+++ b/extras/selinux/vpp-custom.te
@@ -46,7 +46,7 @@ files_tmp_file(vpp_tmp_t)
 allow vpp_t self:capability { dac_override ipc_lock setgid sys_rawio net_raw sys_admin net_admin }; # too benevolent
 dontaudit vpp_t self:capability2 block_suspend;
 allow vpp_t self:process { execmem execstack setsched signal }; # too benevolent
-allow vpp_t self:packet_socket { bind create setopt ioctl };
+allow vpp_t self:packet_socket { bind create setopt ioctl map };
 allow vpp_t self:tun_socket { create relabelto relabelfrom };
 allow vpp_t self:udp_socket { create ioctl };
 allow vpp_t self:unix_dgram_socket { connect create ioctl };
@@ -94,6 +94,7 @@ dev_rw_sysfs(vpp_t)
 dev_read_cpuid(vpp_t)
 dev_rw_vfio_dev(vpp_t)
 dev_rw_vhost( vpp_t )
+dev_rw_generic_chr_files(vpp_t)
domain_obj_id_change_exemption(vpp_t)

Can you let me know if these two line changes addresses all of your issues? - **bganne (Thu, 2 May 2019 14:18:07 +0000)**: Great thanks! - **billym (Thu, 2 May 2019 14:06:22 +0000)**: No, but this is high on my list. My development server had harddrive failures that will hopefully be resolved by end of week. - **bganne (Thu, 2 May 2019 14:01:04 +0000)**: Hi Billy, any update on this one?

Original issue: https://jira.fd.io/browse/VPP-1640