-
Bug
-
Resolution: Done
-
Low
-
20.05
-
None
-
$ cat /etc/centos-release CentOS Linux release 7.8.2003 (Core) # up-to-date packages $ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 31 $ vppctl show version verbose cmdline Version: v20.05.1-release Compiled by: root Compile host: d17a60fbc087 Compile date: 2020-07-15T20:27:00 Compile location: /w/workspace/vpp-merge-2005-centos7 Compiler: GCC 9.3.1 20200408 (Red Hat 9.3.1-2) Current PID: 5908 Command line arguments: /usr/bin/vpp unix { nodaemon log /var/log/vpp/vpp.log full-coredump cli-listen /run/vpp/cli.sock gid vpp } api-trace { on } api-segment { gid vpp } socksvr { default } cpu { } dpdk { dev 0000:00:13.0 } plugins { plugin default { disable } plugin dpdk_plugin.so { enable } }$ cat /etc/centos-release CentOS Linux release 7.8.2003 (Core) # up-to-date packages $ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 31 $ vppctl show version verbose cmdline Version: v20.05.1-release Compiled by: root Compile host: d17a60fbc087 Compile date: 2020-07-15T20:27:00 Compile location: /w/workspace/vpp-merge-2005-centos7 Compiler: GCC 9.3.1 20200408 (Red Hat 9.3.1-2) Current PID: 5908 Command line arguments: /usr/bin/vpp unix { nodaemon log /var/log/vpp/vpp.log full-coredump cli-listen /run/vpp/cli.sock gid vpp } api-trace { on } api-segment { gid vpp } socksvr { default } cpu { } dpdk { dev 0000:00:13.0 } plugins { plugin default { disable } plugin dpdk_plugin.so { enable } }
Similar to VPP-1640, on a fresh up-to-date Centos 7 VM, I get permission denied, blocked by SELinux, when attempting to create a host-interface.
Extremely basic VPP config with a single virtio interface consumed by VPP. I believe I located the missing permissions with ease.
Steps to reproduce and catch SELinux-error (in a less sophisticated way than Billy detailed in related issue):
$ semodule -DB # display dontaudit events as this is hidden by vpp dontaudit policy
$ ip link add vpeer-host type veth peer name vpeer-vpp
$ vppctl create host-interface name vpeer-vpp
create host-interface: Permission denied (errno 13)
$ grep denied /var/log/audit/audit.log
type=AVC msg=audit(1599778019.472:12194): avc: denied { read write } for pid=5908 comm="vpp_main" path="socket:[105612]" dev="sockfs" ino=105612 scontext=system_u:system_r:vpp_t:s0 tcontext=system_u:system_r:vpp_t:s0 tclass=packet_socket permissive=
Building and loading a SELinux module for these two permissions clears the error:
$ audit2allow -m vpp-packet-socket < /var/log/audit/audit.log > vpp-packet-socket.te
$ cat vpp-packet-socket.te
module vpp-packet-socket 1.0;
require {
type vpp_t;
class packet_socket { read write };
}
#============= vpp_t ==============#!!!!
This avc has a dontaudit rule in the current policy
allow vpp_t self:packet_socket { read write };
$ checkmodule -M -m -o vpp-packet-socket.mod vpp-packet-socket.te
checkmodule: loading policy configuration from vpp-packet-socket.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 19) to vpp-packet-socket.mod
$ semodule_package -o vpp-packet-socket.pp -m vpp-packet-socket.mod
$ semodule -i vpp-packet-socket.pp
$ vppctl create host-interface name vpeer-vpp
host-vpeer-vpp
$ vppctl show interface
Name Idx State MTU (L3/IP4/IP6/MPLS) Counter Count
GigabitEthernet0/13/0 1 down 9000/0/0/0
host-vpeer-vpp 2 down 9000/0/0/0
local0 0 down 0/0/0/0
Submitting gerrit review for adding { read write } to vpp_t self:packet_socket momentarily.
- relates to
-
-
- New
-
