thr3ads.net - Ovirt devel - [Ovirt-devel] [PATCH node] ovirt-node-selinux: new sub-module, for conforming SELinux policy [Oct 2008]

If this information is useful, please help other people find it:
Share via:

Jim Meyering

2008-Oct-08 21:19 UTC

[Ovirt-devel] [PATCH node] ovirt-node-selinux: new sub-module, for conforming SELinux policy

ovirt-node needs SELinux policy to allow qemu to access the iSCSI block
devices. This is done presently via a script during install, but it
should be done by a subpackage of ovirt-node called ovirt-node-selinux.
Follow the Fedora guidelines for this located at:
http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules

* Makefile.am (EXTRA_DIST): Add ovirt-node-selinux.te.
* ovirt-node-selinux.te: New file, with contents from...
* ovirt-listen-awake/ovirt-install-node: ...here.  Remove policy
definition and semodule-running code.
* ovirt-node.spec.in: Update per the above wiki URL.
---
 Makefile.am                           |    6 ++--
 ovirt-listen-awake/ovirt-install-node |   19 ----------
 ovirt-node-selinux.te                 |    8 ++++
 ovirt-node.spec.in                    |   59 ++++++++++++++++++++++++++++++++-
 4 files changed, 69 insertions(+), 23 deletions(-)
 create mode 100644 ovirt-node-selinux.te

diff --git a/Makefile.am b/Makefile.am
index 28aa71e..8ca63dc 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -21,10 +21,11 @@ SUBDIRS = ovirt-identify-node ovirt-listen-awake
 EXTRA_DIST =			\
   .gitignore			\
   ovirt-node.spec		\
-  ovirt-node.spec.in	\
+  ovirt-node.spec.in		\
+  ovirt-node-selinux.te		\
   scripts/collectd		\
   scripts/collectd.conf.in	\
-  scripts/ovirt				\
+  scripts/ovirt			\
   scripts/ovirt-awake		\
   scripts/ovirt-early		\
   scripts/ovirt-functions	\
@@ -48,4 +49,3 @@ publish: rpms
 	createrepo $(OVIRT_CACHE_DIR)/ovirt

 .PHONY: rpms publish
-
diff --git a/ovirt-listen-awake/ovirt-install-node
b/ovirt-listen-awake/ovirt-install-node
index c741acf..1d998f4 100644
--- a/ovirt-listen-awake/ovirt-install-node
+++ b/ovirt-listen-awake/ovirt-install-node
@@ -100,22 +100,3 @@ elif [ "$1" = "stateful" ]; then
 else
     usage
 fi
-
-# Common to both stateless and stateful Nodes
-
-if selinuxenabled ; then
-    # make disks available to VMs
-    t=$(mktemp -d)
-    cat > $t/te <<\EOF
-module ovirt 1.0.0;
-require {
-    type fixed_disk_device_t;
-    type qemu_t;
-    class blk_file { ioctl getattr setattr read write };
-}
-allow qemu_t fixed_disk_device_t:blk_file { ioctl getattr setattr read write };
-EOF
-    checkmodule -M -m -o $t/mod $t/te
-    semodule_package -o $t/pp -m $t/mod
-    semodule -i $t/pp
-fi
diff --git a/ovirt-node-selinux.te b/ovirt-node-selinux.te
new file mode 100644
index 0000000..a53d3de
--- /dev/null
+++ b/ovirt-node-selinux.te
@@ -0,0 +1,8 @@
+module ovirt 1.0.0;
+require {
+    type fixed_disk_device_t;
+    type qemu_t;
+    class blk_file { ioctl getattr setattr read write };
+}
+# Give qemu_t access to any block device
+allow qemu_t fixed_disk_device_t:blk_file { ioctl getattr setattr read write };
diff --git a/ovirt-node.spec.in b/ovirt-node.spec.in
index 3dc4e1d..daa3d7f 100644
--- a/ovirt-node.spec.in
+++ b/ovirt-node.spec.in
@@ -6,6 +6,11 @@ Source0:        %{name}-%{version}.tar.gz
 License:        GPLv2+
 Group:          Applications/System

+%define selinux_variants mls strict targeted
+%define selinux_policyver %(sed -n
's,.*selinux-policy-\([^/]*\)/.*,\1,p'
/usr/share/selinux/devel/policyhelp)
+%define modulename %{name}-selinux
+Source1:        %{modulename}.te
+
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-buildroot
 URL:            http://www.ovirt.org/
 Requires(post):  /sbin/chkconfig
@@ -26,14 +31,38 @@ ExclusiveArch:  %{ix86} x86_64
 Provides a series of daemons and support utilities to allow an
 oVirt Node to interact with the oVirt server.

-%prep
+%package selinux
+Summary:        SELinux policy module supporting ovirt-node
+Group:          System Environment/Base
+BuildRequires:  checkpolicy, selinux-policy-devel, hardlink
+%if "%{selinux_policyver}" != ""
+Requires:       selinux-policy >= %{selinux_policyver}
+%endif
+Requires:       %{name} = %{version}-%{release}
+Requires(post):   /usr/sbin/semodule, /sbin/restorecon
+Requires(postun): /usr/sbin/semodule, /sbin/restorecon
+
+%description selinux
+SELinux policy module supporting ovirt-node

+%prep
 %setup -q

+mkdir SELinux
+cp -p %{SOURCE1} SELinux
+
 %build
 %configure
 make

+cd SELinux
+for selinuxvariant in %{selinux_variants}; do
+  make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile
+  mv %{modulename}.pp %{modulename}.pp.${selinuxvariant}
+  make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile clean
+done
+cd -
+
 %install
 %{__rm} -rf %{buildroot}
 %{__install} -d -m0755 %{buildroot}%{_sbindir}
@@ -65,6 +94,16 @@ make

 echo "oVirt Node release %{version}-%{release}" >
%{buildroot}%{_sysconfdir}/ovirt-release

+cd SELinux
+for selinuxvariant in %{selinux_variants}; do
+  install -d %{buildroot}%{_datadir}/selinux/${selinuxvariant}
+  install -p -m 644 %{modulename}.pp.${selinuxvariant} \
+  %{buildroot}%{_datadir}/selinux/${selinuxvariant}/%{modulename}.pp
+done
+cd -
+
+/usr/sbin/hardlink -cv %{buildroot}%{_datadir}/selinux
+
 %clean
 %{__rm} -rf %{buildroot}

@@ -85,6 +124,24 @@ if [ "$1" = 0 ] ; then
   /sbin/chkconfig --del ovirt-listen-awake
 fi

+%post selinux
+for selinuxvariant in %{selinux_variants}; do
+  /usr/sbin/semodule -s ${selinuxvariant} -i \
+    %{_datadir}/selinux/${selinuxvariant}/%{modulename}.pp &> /dev/null
|| :
+done
+
+%postun selinux
+if [ $1 -eq 0 ] ; then
+  for selinuxvariant in %{selinux_variants}; do
+    /usr/sbin/semodule -s ${selinuxvariant} -r %{modulename} &>
/dev/null || :
+  done
+fi
+
+%files selinux
+%defattr(-,root,root,0755)
+%doc SELinux/*
+%{_datadir}/selinux/*/%{modulename}.pp
+
 %files
 %defattr(-,root,root,0755)
 %{_sbindir}/ovirt-awake
--
1.6.0.2.304.gc76d

Perry N. Myers

2008-Oct-09 04:28 UTC

head link

[Ovirt-devel] [PATCH node] ovirt-node-selinux: new sub-module, for conforming SELinux policy

Jim Meyering wrote:> ovirt-node needs SELinux policy to allow qemu to access the iSCSI block
> devices. This is done presently via a script during install, but it
> should be done by a subpackage of ovirt-node called ovirt-node-selinux.
> Follow the Fedora guidelines for this located at:
> http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules
> 
> * Makefile.am (EXTRA_DIST): Add ovirt-node-selinux.te.
> * ovirt-node-selinux.te: New file, with contents from...
> * ovirt-listen-awake/ovirt-install-node: ...here.  Remove policy
> definition and semodule-running code.
> * ovirt-node.spec.in: Update per the above wiki URL.
This seems to work for me.  I'm able to successfully boot a VM using iSCSI 
storage and SELinux isn't blocking access to the storage with this policy 
applied.

However...  I see other errors in dmesg that are SELinux related.  This 
might bear looking into:
> type=1400 audit(1223526055.374:4): avc:  denied  { read } for  pid=2592
comm="mount" name="tmp.mhdXsnaPjX" dev=dm-0 ino=7101
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0
tclass=dir
> type=1400 audit(1223526055.374:5): avc:  denied  { read } for  pid=2592
comm="mount" name="tmp.mhdXsnaPjX" dev=dm-0 ino=7101
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0
tclass=dir
> Not cloning cgroup for unused subsystem ns
> SELinux: initialized (dev proc, type proc), uses genfs_contexts
> scsi6 : iSCSI Initiator over TCP/IP
> scsi 6:0:0:0: RAID              IET      Controller       0001 PQ: 0 ANSI:
5
> scsi 6:0:0:0: Attached scsi generic sg2 type 12
> scsi 6:0:0:1: Direct-Access     IET      VIRTUAL-DISK     0001 PQ: 0 ANSI:
5
> sd 6:0:0:1: [sdb] 6291456 512-byte hardware sectors (3221 MB)
> sd 6:0:0:1: [sdb] Write Protect is off
> sd 6:0:0:1: [sdb] Mode Sense: 79 00 00 08
> sd 6:0:0:1: [sdb] Write cache: enabled, read cache: enabled, doesn't
support DPO or FUA
> sd 6:0:0:1: [sdb] 6291456 512-byte hardware sectors (3221 MB)
> sd 6:0:0:1: [sdb] Write Protect is off
> sd 6:0:0:1: [sdb] Mode Sense: 79 00 00 08
> sd 6:0:0:1: [sdb] Write cache: enabled, read cache: enabled, doesn't
support DPO or FUA
>  sdb: unknown partition table
> type=1400 audit(1223526138.070:6): avc:  denied  { search } for  pid=2732
comm="iscsid" name="bdi" dev=debugfs ino=6
scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0
tclass=dir
> type=1400 audit(1223526138.070:7): avc:  denied  { search } for  pid=2732
comm="iscsid" name="/" dev=debugfs ino=1
scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0
tclass=dir
> sd 6:0:0:1: [sdb] Attached SCSI disk
> sd 6:0:0:1: Attached scsi generic sg3 type 0
> scsi 6:0:0:2: Direct-Access     IET      VIRTUAL-DISK     0001 PQ: 0 ANSI:
5
> sd 6:0:0:2: [sdc] 6291456 512-byte hardware sectors (3221 MB)
> sd 6:0:0:2: [sdc] Write Protect is off
> sd 6:0:0:2: [sdc] Mode Sense: 79 00 00 08
> sd 6:0:0:2: [sdc] Write cache: enabled, read cache: enabled, doesn't
support DPO or FUA
> sd 6:0:0:2: [sdc] 6291456 512-byte hardware sectors (3221 MB)
> sd 6:0:0:2: [sdc] Write Protect is off
> sd 6:0:0:2: [sdc] Mode Sense: 79 00 00 08
> sd 6:0:0:2: [sdc] Write cache: enabled, read cache: enabled, doesn't
support DPO or FUA
>  sdc: unknown partition table
> type=1400 audit(1223526138.084:8): avc:  denied  { search } for  pid=2732
comm="iscsid" name="bdi" dev=debugfs ino=6
scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0
tclass=dir
> type=1400 audit(1223526138.084:9): avc:  denied  { search } for  pid=2732
comm="iscsid" name="/" dev=debugfs ino=1
scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0
tclass=dir
> sd 6:0:0:2: [sdc] Attached SCSI disk
> sd 6:0:0:2: Attached scsi generic sg4 type 0
> scsi 6:0:0:3: Direct-Access     IET      VIRTUAL-DISK     0001 PQ: 0 ANSI:
5
> sd 6:0:0:3: [sdd] 6291456 512-byte hardware sectors (3221 MB)
> sd 6:0:0:3: [sdd] Write Protect is off
> sd 6:0:0:3: [sdd] Mode Sense: 79 00 00 08
> sd 6:0:0:3: [sdd] Write cache: enabled, read cache: enabled, doesn't
support DPO or FUA
> sd 6:0:0:3: [sdd] 6291456 512-byte hardware sectors (3221 MB)
> sd 6:0:0:3: [sdd] Write Protect is off
> sd 6:0:0:3: [sdd] Mode Sense: 79 00 00 08
> sd 6:0:0:3: [sdd] Write cache: enabled, read cache: enabled, doesn't
support DPO or FUA
>  sdd: unknown partition table
> type=1400 audit(1223526138.098:10): avc:  denied  { search } for  pid=2732
comm="iscsid" name="bdi" dev=debugfs ino=6
scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0
tclass=dir
> type=1400 audit(1223526138.098:11): avc:  denied  { search } for  pid=2732
comm="iscsid" name="/" dev=debugfs ino=1
scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0
tclass=dir
> sd 6:0:0:3: [sdd] Attached SCSI disk
> sd 6:0:0:3: Attached scsi generic sg5 type 0
> sd 6:0:0:1: [sdb] 6291456 512-byte hardware sectors (3221 MB)
> sd 6:0:0:1: [sdb] Write Protect is off
> sd 6:0:0:1: [sdb] Mode Sense: 79 00 00 08
> sd 6:0:0:1: [sdb] Write cache: enabled, read cache: enabled, doesn't
support DPO or FUA
> sd 6:0:0:2: [sdc] 6291456 512-byte hardware sectors (3221 MB)
> sd 6:0:0:2: [sdc] Write Protect is off
> sd 6:0:0:2: [sdc] Mode Sense: 79 00 00 08
> sd 6:0:0:2: [sdc] Write cache: enabled, read cache: enabled, doesn't
support DPO or FUA
> sd 6:0:0:3: [sdd] 6291456 512-byte hardware sectors (3221 MB)
> sd 6:0:0:3: [sdd] Write Protect is off
> sd 6:0:0:3: [sdd] Mode Sense: 79 00 00 08
> sd 6:0:0:3: [sdd] Write cache: enabled, read cache: enabled, doesn't
support DPO or FUA
> sd 6:0:0:1: [sdb] Synchronizing SCSI cache
> sd 6:0:0:2: [sdc] Synchronizing SCSI cache
> sd 6:0:0:3: [sdd] Synchronizing SCSI cache
> scsi7 : iSCSI Initiator over TCP/IP
> scsi 7:0:0:0: RAID              IET      Controller       0001 PQ: 0 ANSI:
5
> scsi 7:0:0:0: Attached scsi generic sg2 type 12
> scsi 7:0:0:1: Direct-Access     IET      VIRTUAL-DISK     0001 PQ: 0 ANSI:
5
> sd 7:0:0:1: [sdb] 6291456 512-byte hardware sectors (3221 MB)
> sd 7:0:0:1: [sdb] Write Protect is off
> sd 7:0:0:1: [sdb] Mode Sense: 79 00 00 08
> sd 7:0:0:1: [sdb] Write cache: enabled, read cache: enabled, doesn't
support DPO or FUA
> sd 7:0:0:1: [sdb] 6291456 512-byte hardware sectors (3221 MB)
> sd 7:0:0:1: [sdb] Write Protect is off
> sd 7:0:0:1: [sdb] Mode Sense: 79 00 00 08
> sd 7:0:0:1: [sdb] Write cache: enabled, read cache: enabled, doesn't
support DPO or FUA
>  sdb: unknown partition table
> type=1400 audit(1223526199.621:12): avc:  denied  { search } for  pid=2852
comm="iscsid" name="bdi" dev=debugfs ino=6
scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0
tclass=dir
> type=1400 audit(1223526199.621:13): avc:  denied  { search } for  pid=2852
comm="iscsid" name="/" dev=debugfs ino=1
scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0
tclass=dir
> sd 7:0:0:1: [sdb] Attached SCSI disk
> sd 7:0:0:1: Attached scsi generic sg3 type 0
> scsi 7:0:0:2: Direct-Access     IET      VIRTUAL-DISK     0001 PQ: 0 ANSI:
5
> sd 7:0:0:2: [sdc] 6291456 512-byte hardware sectors (3221 MB)
> sd 7:0:0:2: [sdc] Write Protect is off
> sd 7:0:0:2: [sdc] Mode Sense: 79 00 00 08
> sd 7:0:0:2: [sdc] Write cache: enabled, read cache: enabled, doesn't
support DPO or FUA
> sd 7:0:0:2: [sdc] 6291456 512-byte hardware sectors (3221 MB)
> sd 7:0:0:2: [sdc] Write Protect is off
> sd 7:0:0:2: [sdc] Mode Sense: 79 00 00 08
> sd 7:0:0:2: [sdc] Write cache: enabled, read cache: enabled, doesn't
support DPO or FUA
>  sdc: unknown partition table
> type=1400 audit(1223526199.636:14): avc:  denied  { search } for  pid=2852
comm="iscsid" name="bdi" dev=debugfs ino=6
scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0
tclass=dir
> type=1400 audit(1223526199.636:15): avc:  denied  { search } for  pid=2852
comm="iscsid" name="/" dev=debugfs ino=1
scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0
tclass=dir
> sd 7:0:0:2: [sdc] Attached SCSI disk
> sd 7:0:0:2: Attached scsi generic sg4 type 0
> scsi 7:0:0:3: Direct-Access     IET      VIRTUAL-DISK     0001 PQ: 0 ANSI:
5
> sd 7:0:0:3: [sdd] 6291456 512-byte hardware sectors (3221 MB)
> sd 7:0:0:3: [sdd] Write Protect is off
> sd 7:0:0:3: [sdd] Mode Sense: 79 00 00 08
> sd 7:0:0:3: [sdd] Write cache: enabled, read cache: enabled, doesn't
support DPO or FUA
> sd 7:0:0:3: [sdd] 6291456 512-byte hardware sectors (3221 MB)
> sd 7:0:0:3: [sdd] Write Protect is off
> sd 7:0:0:3: [sdd] Mode Sense: 79 00 00 08
> sd 7:0:0:3: [sdd] Write cache: enabled, read cache: enabled, doesn't
support DPO or FUA
>  sdd: unknown partition table
> type=1400 audit(1223526199.649:16): avc:  denied  { search } for  pid=2852
comm="iscsid" name="bdi" dev=debugfs ino=6
scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0
tclass=dir
> type=1400 audit(1223526199.649:17): avc:  denied  { search } for  pid=2852
comm="iscsid" name="/" dev=debugfs ino=1
scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:debugfs_t:s0
tclass=dir
> sd 7:0:0:3: [sdd] Attached SCSI disk
> sd 7:0:0:3: Attached scsi generic sg5 type 0
> sd 7:0:0:1: [sdb] 6291456 512-byte hardware sectors (3221 MB)
> sd 7:0:0:1: [sdb] Write Protect is off
> sd 7:0:0:1: [sdb] Mode Sense: 79 00 00 08
> sd 7:0:0:1: [sdb] Write cache: enabled, read cache: enabled, doesn't
support DPO or FUA
> sd 7:0:0:2: [sdc] 6291456 512-byte hardware sectors (3221 MB)
> sd 7:0:0:2: [sdc] Write Protect is off
> sd 7:0:0:2: [sdc] Mode Sense: 79 00 00 08
> sd 7:0:0:2: [sdc] Write cache: enabled, read cache: enabled, doesn't
support DPO or FUA
> sd 7:0:0:3: [sdd] 6291456 512-byte hardware sectors (3221 MB)
> sd 7:0:0:3: [sdd] Write Protect is off
> sd 7:0:0:3: [sdd] Mode Sense: 79 00 00 08
> sd 7:0:0:3: [sdd] Write cache: enabled, read cache: enabled, doesn't
support DPO or FUA
> tun: Universal TUN/TAP device driver, 1.6
> tun: (C) 1999-2004 Max Krasnyansky <maxk at qualcomm.com>
> device vnet0 entered promiscuous mode
> ovirtbr0: port 2(vnet0) entering learning state
> ovirtbr0: topology change detected, propagating
> ovirtbr0: port 2(vnet0) entering forwarding state
> vnet0: no IPv6 routers present
> kvm: emulating exchange as write
> [root at node123 ~]# df
> Filesystem           1K-blocks      Used Available Use% Mounted on
> /dev/mapper/live-rw     554336    199904    348824  37% /
> tmpfs                  1880100         0   1880100   0% /dev/shm
> [root at node123 ~]# virsh pool-list
> Name                 State      Autostart 
> -----------------------------------------
> NXk142Ob3yPtJwHp     active     no        
> 
> [root at node123 ~]# virsh pool-dumpxml
> error: command 'pool-dumpxml' requires <pool> option
> [root at node123 ~]# virsh pool-dumpxml NXk142Ob3yPtJwHp
> <pool type='iscsi'>
>   <name>NXk142Ob3yPtJwHp</name>
>   <uuid>2d075063-164a-e19d-de69-a142eac7b009</uuid>
>   <capacity>9663676416</capacity>
>   <allocation>9663676416</allocation>
>   <available>0</available>
>   <source>
>     <host name='192.168.50.2'/>
>     <device path='ovirtpriv:storage'>
>     </device>
>   </source>
>   <target>
>     <path>/dev/disk/by-id</path>
>     <permissions>
>       <mode>0700</mode>
>       <owner>0</owner>
>       <group>0</group>
>     </permissions>
>   </target>
> </pool>
Perry

Ovirt devel - Oct 2008 - [PATCH node] ovirt-node-selinux: new sub-module, for conforming SELinux policy

[Ovirt-devel] [PATCH node] ovirt-node-selinux: new sub-module, for conforming SELinux policy

[Ovirt-devel] [PATCH node] ovirt-node-selinux: new sub-module, for conforming SELinux policy