add openvswitch-ipsec.service policy

2024-03-29 08:24:36 +00:00 · 2024-03-29 08:24:36 +00:00 · cb5cc1ddd2
commit cb5cc1ddd2
parent 0f59a3f8f6
3 changed files with 138 additions and 5 deletions
--- a/fix-selinux-err.patch
+++ b/fix-selinux-err.patch
@ -1,16 +1,97 @@
+From 5ab25718492e83565e4376577510a151541714ee Mon Sep 17 00:00:00 2001
+From: zhangpan <zhangpan103@h-partners.com>
+Date: Fri, 29 Mar 2024 15:26:06 +0800
+Subject: [PATCH] fix selinux err
+
+add openvswitch-ipsec.service policy
+
+---
+ selinux/openvswitch-custom.te.in | 42 ++++++++++++++++++++++++++++----
+ 1 file changed, 37 insertions(+), 5 deletions(-)
+
 diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in
-index 9f51f604e..77b0bd98f 100644
+index 9f51f60..1b34147 100644
 --- a/selinux/openvswitch-custom.te.in
 +++ b/selinux/openvswitch-custom.te.in
-@@ -15,6 +15,7 @@ require {
+@@ -12,11 +12,22 @@ require {
+         type openvswitch_var_run_t;
+ 
+         type bin_t;
+        type etc_t;
         type ifconfig_exec_t;
+        type ipsec_t;
+        type ipsec_conf_file_t;
+        type ipsec_exec_t;
+        type ipsec_key_file_t;
+        type ipsec_mgmt_exec_t;
+        type ipsec_mgmt_unit_file_t;
+        type ipsec_var_run_t;
         type init_t;
         type init_var_run_t;
-+	type initrc_t;
+        type initrc_t;
         type insmod_exec_t;
         type kernel_t;
+        type ldconfig_exec_t;
+        type systemd_systemctl_exec_t;
         type hostname_exec_t;
-@@ -118,6 +119,7 @@ allow openvswitch_t openvswitch_load_module_t:process transition;
+         type modules_conf_t;
+         type modules_dep_t;
+@@ -45,7 +56,7 @@ require {
+         class chr_file { write getattr read open ioctl map };
+         class dir { write remove_name add_name lock read getattr search open };
+         class fd { use };
+-        class file { map write getattr read open execute execute_no_trans create unlink map entrypoint lock ioctl };
+        class file { setattr map write getattr read open execute execute_no_trans create unlink map entrypoint lock ioctl };
+         class fifo_file { getattr read write append ioctl lock open };
+         class filesystem getattr;
+         class lnk_file { read open };
+@@ -55,11 +66,12 @@ require {
+         class netlink_rdma_socket { setopt bind create };
+ @end_dpdk@
+         class netlink_socket { setopt getopt create connect getattr write read };
+-        class sock_file { write };
+        class sock_file { read write };
+         class system { module_load module_request };
+         class process { sigchld signull transition noatsecure siginh rlimitinh };
+         class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom ioctl };
+ 
+        class service { start status };
+ @begin_dpdk@
+         class sock_file { read append getattr open };
+         class tun_socket { relabelfrom relabelto create };
+@@ -78,9 +90,28 @@ domain_entry_file(openvswitch_load_module_t, openvswitch_load_module_exec_t);
+ domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load_module_t);
+ 
+ #============= openvswitch_t ==============
+-allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw };
+-allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write };
+-allow openvswitch_t self:netlink_netfilter_socket { create nlmsg_relay audit_write read write };
+allow openvswitch_t etc_t:dir { write };
+allow openvswitch_t ifconfig_exec_t:file map;
+allow openvswitch_t init_t:file { getattr open read };
+allow openvswitch_t init_t:lnk_file read;
+allow openvswitch_t init_t:unix_stream_socket connectto;
+allow openvswitch_t ipsec_t:unix_stream_socket connectto;
+allow openvswitch_t ipsec_conf_file_t:file { getattr ioctl open read write };
+allow openvswitch_t ipsec_exec_t:file { execute execute_no_trans map open read };
+allow openvswitch_t ipsec_key_file_t:dir { search add_name remove_name write };
+allow openvswitch_t ipsec_key_file_t:file { create getattr setattr ioctl lock open read write unlink };
+allow openvswitch_t ipsec_mgmt_exec_t:file { execute execute_no_trans getattr ioctl open read };
+allow openvswitch_t ipsec_mgmt_unit_file_t:service { start status };
+allow openvswitch_t ipsec_var_run_t:sock_file { read write };
+allow openvswitch_t ldconfig_exec_t:file execute;
+allow openvswitch_t ldconfig_exec_t:file map;
+allow openvswitch_t ldconfig_exec_t:file { execute execute_no_trans open read };
+allow openvswitch_t systemd_systemctl_exec_t:file map;
+allow openvswitch_t systemd_systemctl_exec_t:file { execute execute_no_trans getattr open read };
+
+allow openvswitch_t self:capability { dac_override net_broadcast net_raw };
+allow openvswitch_t self:netlink_audit_socket { create read write };
+allow openvswitch_t self:netlink_netfilter_socket { create read write };
+ @begin_dpdk@
+ allow openvswitch_t self:netlink_rdma_socket { setopt bind create };
+ @end_dpdk@
+@@ -118,6 +149,7 @@ allow openvswitch_t openvswitch_load_module_t:process transition;
 allow openvswitch_load_module_t bin_t:file { execute execute_no_trans map };
 allow openvswitch_load_module_t init_t:unix_stream_socket { getattr ioctl read write };
 allow openvswitch_load_module_t init_var_run_t:dir { getattr read open search };
@ -18,3 +99,6 @@ index 9f51f604e..77b0bd98f 100644
 allow openvswitch_load_module_t insmod_exec_t:file { execute execute_no_trans getattr map open read };
 allow openvswitch_load_module_t kernel_t:system module_request;
 allow openvswitch_load_module_t modules_conf_t:dir { getattr open read search };
+-- 
+2.27.0
+
--- a/fix-the-problem-that-openvswitch-ipsec.service-causes-ipsec.service-to-fail-to-start.patch
+++ b/fix-the-problem-that-openvswitch-ipsec.service-causes-ipsec.service-to-fail-to-start.patch
@ -0,0 +1,24 @@
+From 5e2e60e2f05195f506ea68fe17e72a2a6fe4bdbe Mon Sep 17 00:00:00 2001
+From: zhangpan <zhangpan103@h-partners.com>
+Date: Fri, 29 Mar 2024 15:26:47 +0800
+Subject: [PATCH] Fix the problem that openvswitch-ipsec.service causes ipsec.service to fail to start
+
+---
+ ipsec/ovs-monitor-ipsec.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in
+index 7945162..c4f48e9 100755
+--- a/ipsec/ovs-monitor-ipsec.in
+++ b/ipsec/ovs-monitor-ipsec.in
+@@ -389,6 +389,7 @@ class LibreSwanHelper(object):
+     """This class does LibreSwan specific configurations."""
+     CONF_HEADER = """%s
+ config setup
+    nssdir=/etc/ipsec.d
+     uniqueids=yes
+ 
+ conn %%default
+-- 
+2.27.0
+
--- a/openvswitch.spec
+++ b/openvswitch.spec
@ -13,7 +13,7 @@ Name: openvswitch
 Summary: Open vSwitch daemon/database/utilities
 URL: https://www.openvswitch.org/
 Version: 3.2.1
-Release: 2
+Release: 3
 License: ASL 2.0 and LGPLv2+ and SISSL

 Source0: https://www.openvswitch.org/releases/%{name}-%{version}.tar.gz
@ -21,6 +21,7 @@ Source0: https://www.openvswitch.org/releases/%{name}-%{version}.tar.gz
 Patch0000:      0000-openvswitch-add-stack-protector-strong.patch
 Patch0002:      0002-Remove-unsupported-permission-names.patch
 Patch0003:      fix-selinux-err.patch
+Patch0004:      fix-the-problem-that-openvswitch-ipsec.service-causes-ipsec.service-to-fail-to-start.patch

 Patch6000:      backport-CVE-2023-3966.patch

@ -34,6 +35,7 @@ BuildRequires: groff-base graphviz
 BuildRequires: unbound-devel groff
 # make check dependencies
 BuildRequires: procps-ng
+BuildRequires: checkpolicy selinux-policy-devel

 %if %{with check_datapath_kernel}
 BuildRequires: nmap-ncat
@ -48,6 +50,7 @@ BuildRequires: dpdk-devel libpcap-devel numactl-devel
 %endif

 Requires: openssl iproute module-init-tools
+Requires: selinux-policy-targeted

 Requires(post): /bin/sed
 Requires(post): %{_sbindir}/update-alternatives
@ -145,6 +148,9 @@ ln -s ../configure
        --enable-ssl \
        --with-pkidir=%{_sharedstatedir}/openvswitch/pki
 make %{?_smp_mflags}
+sed -i "s#selinux/openvswitch-custom.te selinux/openvswitch-custom.fc#../selinux/openvswitch-custom.te ../selinux/openvswitch-custom.fc#g" Makefile
+sed -i "s#-C selinux/ -f#-C ../selinux/ -f#g" Makefile
+make selinux-policy
 popd
 %if %{with dpdk}
 pushd build-dpdk
@ -187,6 +193,9 @@ install -d -m 0755 $RPM_BUILD_ROOT/run/openvswitch
 install -d -m 0750 $RPM_BUILD_ROOT%{_localstatedir}/log/openvswitch
 install -d -m 0755 $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch

+install -p -m 644 -D selinux/openvswitch-custom.pp \
+    $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
+
 install -p -D -m 0644 rhel/usr_lib_udev_rules.d_91-vfio.rules \
        $RPM_BUILD_ROOT%{_udevrulesdir}/91-vfio.rules

@ -290,6 +299,9 @@ pushd $dir
 %endif
 popd
 done
+
+%pre
+%selinux_relabel_pre -s targeted
 
 %preun
 %if 0%{?systemd_preun:1}
@ -311,6 +323,7 @@ done
        /bin/systemctl daemon-reload >dev/null || :
    fi
 %endif
+%selinux_modules_install -s targeted /usr/share/selinux/packages/%{name}/openvswitch-custom.pp

 %postun
 %if 0%{?systemd_postun:1}
@ -319,6 +332,13 @@ done
    /bin/systemctl daemon-reload >/dev/null 2>&1 || :
 %endif

+if [ $1 -eq 0 ] ; then
+  %selinux_modules_uninstall -s targeted openvswitch-custom
+fi
+
+%posttrans
+%selinux_relabel_post -s targeted
+
 %if %{with dpdk}
 %post dpdk
 if grep -Fqw sse4_1 /proc/cpuinfo; then
@ -422,11 +442,16 @@ fi
 %doc LICENSE NOTICE README.rst NEWS rhel/README.RHEL.rst
 /var/lib/openvswitch
 /var/log/openvswitch
+%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
 %ghost %attr(755,root,root) %verify(not owner group) /run/openvswitch
 %{_sysconfdir}/sysconfig/network-scripts/ifup-ovs
 %{_sysconfdir}/sysconfig/network-scripts/ifdown-ovs

 %changelog
+* Fri Mar 29 2024 zhangpan <zhangpan103@h-partners.com> - 3.2.1-3
+- fix openvswitch-ipsec servive failure when selinux is on
+- fix the problem that openvswitch-ipsec.service causes ipsec.service to fail when starting
+
 * Sun Feb 18 2024 zhangpan <zhangpan103@h-partners.com> - 3.2.1-2
 - fix CVE-2023-3966