Bug 1003717 - openvswitch + mininet = SELinux AVCs
openvswitch + mininet = SELinux AVCs
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-02 21:47 EDT by Jose Pedro Oliveira
Modified: 2014-03-15 11:22 EDT (History)
10 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-74.19.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-03-15 11:22:01 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jose Pedro Oliveira 2013-09-02 21:47:48 EDT
Description of problem:
Running mininet causes several SELinux AVCs.  


Version-Release number of selected component (if applicable):
openvswitch-1.11.0-1.fc19.x86_64
openvswitch-controller-1.11.0-1.fc19.x86_64

How reproducible:
Always

Steps to Reproduce:

1. Install mininet following the steps listed in https://github.com/mininet/mininet/pull/194  (the first two patches are the only ones needed)

2. systemtctl start openvswitch

3. sudo mn
   or
   sudo mn -v debug
   or
   sudo mn --test pingall
   

Actual results:
The pingall test fails

Expected results:
Run the pingall test with success

Additional info:
  * Mininet is a tool that uses openvswitch and network namespaces to create virtual networks.
 * mininet homepage: http://mininet.org/
 * mininet uses network namespaces


----------
# tail -n 100 audit.log | grep "type=AVC"
----------
type=AVC msg=audit(1378170683.196:882): avc:  denied  { name_connect } for
pid=810 comm="ovs-vswitchd" dest=6633
scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1378170683.197:883): avc:  denied  { name_bind } for
pid=810 comm="ovs-vswitchd" src=6634
scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1378170683.197:883): avc:  denied  { node_bind } for
pid=810 comm="ovs-vswitchd" src=6634
scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:object_r:node_t:s0 tclass=tcp_socket
type=AVC msg=audit(1378170683.197:884): avc:  denied  { listen } for  pid=810
comm="ovs-vswitchd" lport=6634 scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:system_r:openvswitch_t:s0 tclass=tcp_socket
type=AVC msg=audit(1378170683.198:885): avc:  denied  { accept } for  pid=810
comm="ovs-vswitchd" lport=6634 scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:system_r:openvswitch_t:s0 tclass=tcp_socket
type=AVC msg=audit(1378170856.962:900): avc:  denied  { name_bind } for
pid=810 comm="ovs-vswitchd" src=6634
scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1378170856.962:901): avc:  denied  { name_connect } for
pid=810 comm="ovs-vswitchd" dest=6633
scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
----------


----------
# tail -n 100 audit.log | audit2allow
----------
#============= openvswitch_t ==============
allow openvswitch_t node_t:tcp_socket node_bind;
allow openvswitch_t self:tcp_socket { accept listen };
allow openvswitch_t unreserved_port_t:tcp_socket { name_bind name_connect };
Comment 1 Jose Pedro Oliveira 2013-09-02 22:17:34 EDT
A couple of notes about the virtual network topologies created by mininet:

Virtual network topologies have the following defaults:
 * the controller - ovs-controller - listens on TCP/6633
 * the first switch listens on TCP/6634
 * the second switch listens on TCP/6635
 * ...

The default (minimal) topology created by "sudo mn" has:
 * one controller
 * one switch
 * two hosts (h1:10.10.10.1; h2:10.10.10.2)

Each host is a bash process with its own IP address (network namespace)
Comment 2 Thomas Graf 2013-10-28 07:22:16 EDT
What version of selinux-policy do you have installed?
Comment 3 Jose Pedro Oliveira 2013-10-28 08:37:05 EDT
Sorry! I forgot to add the selinux package info.

Selinux version when the ticket was created:

   selinux-policy-3.12.1-73.fc19.noarch
   selinux-policy-targeted-3.12.1-73.fc19.noarch


The problem can still be reproduced with:

   selinux-policy-targeted-3.12.1-74.10.fc19.noarch
   selinux-policy-3.12.1-74.10.fc19.noarch
Comment 4 Jose Pedro Oliveira 2013-10-28 12:32:20 EDT
BTW: I have here a SRPM that builds and installs correctly in Fedora19+ [1]:
http://um-pe09-2.di.uminho.pt/fedora/mininet-2.1.0-0.1.fc19.src.rpm

Contents:
---------
$ rpm -qpl mininet-2.1.0-0.1.fc19.src.rpm
---------
0001-Fixes-compiler-warning-implicit-declaration-of-funct.patch
0002-Fixes-compiler-warning-control-reaches-end-of-non-vo.patch
mininet-2.1.0.tar.gz
mininet.spec
---------
Note: the two patches have already been pulled by upstream (but only after the 2.1.0 release).

[1] - still need to test the python examples to see which modules have to be add to the requirements list.
Comment 5 Thomas Graf 2014-01-28 08:07:38 EST
Reassigning to selinux-policy to update the policy.
Comment 6 Daniel Walsh 2014-02-14 12:42:00 EST
This means openvswitch can be a service listen on tcp_socket?

Is port 6634 the standard port this listens on?

And is 6633 a standard port it connects on?


 grep 6633 /etc/services 
cisco-vpath-tun 6633/udp                # Cisco vPath Services Overlay
Comment 7 Daniel Walsh 2014-02-14 12:51:52 EST
b9e29fc187e0ef9faeee1dd9772446cb45a4d031 and
1289f030a62736f6cb75af326064533d0e659a69 fix this in git.

Needs to be back ported to RHEL7, F20 and F19
Comment 8 Jose Pedro Oliveira 2014-02-14 19:02:47 EST
Daniel Walsh,

(In reply to Daniel Walsh from comment #6)
> This means openvswitch can be a service listen on tcp_socket?
> 
> Is port 6634 the standard port this listens on?
> 
> And is 6633 a standard port it connects on?
> 
> 
>  grep 6633 /etc/services 
> cisco-vpath-tun 6633/udp                # Cisco vPath Services Overlay


The old the facto standard for the OpenFlow port has always been 6633/TCP.
The problem is that when they contacted IANA for making it official, port 6633/UDP had already been given to Cisco, and the official OpenFlow port become 6653/TCP since 2013-07-18 (see http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=openflow).

This change will cause problems to openvswitch and mininet (that uses openvswitch by default).

Regarding this particular ticket: currently mininet creates topologies using the following ports:

  * 6633/TCP - controller
  * 6634/TCP - first switch
  * 6635/TCP - second switch
  * 6636/TCP - third switch
  * ... and so on ...

A minimal topology with 1 controller and 1 switch will only require ports 6633 and 6634/TCP.  More complex topologies (user defined) will require n+1 ports where n is the number of switches.

/jpo
Comment 9 Lukas Vrabec 2014-02-15 18:09:05 EST
back ported to F20(also RHEL7) and F19 branch.
Comment 10 Fedora Update System 2014-02-24 08:16:17 EST
selinux-policy-3.12.1-74.19.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.19.fc19
Comment 11 Fedora Update System 2014-02-25 02:44:52 EST
Package selinux-policy-3.12.1-74.19.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.19.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-3030/selinux-policy-3.12.1-74.19.fc19
then log in and leave karma (feedback).
Comment 12 Christopher Meng 2014-02-25 08:53:38 EST
Hi,

mininet is in my todo list on packaging.

If you have time, please help test this package when I submit it.

Thank you!
Comment 13 Jose Pedro Oliveira 2014-02-25 18:52:31 EST
Christopher Meng,

(In reply to Christopher Meng from comment #12)
> Hi,
> 
> mininet is in my todo list on packaging.
> 
> If you have time, please help test this package when I submit it.

.. or, instead of starting from scratch, you could help improving the mininet SRPM/specfile listed in comment #4.

Note:
 * the two patches included in the SRPM are already upstream
   (just have to check if they were included in mininet 2.1.0p1)
 
/jpo
Comment 14 Fedora Update System 2014-03-15 11:22:01 EDT
selinux-policy-3.12.1-74.19.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.