Bug 1335024

Summary: Open vSwitch 2.4 needs new SElinux policy
Product: Red Hat Enterprise Linux 7 Reporter: Itzik Brown <itbrown>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 7.2CC: itbrown, lvrabec, mgrepl, mmalik, nyechiel, oblaut, plautrba, pvrabec, ssekidde, tfreger
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-88.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 02:28:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1337087    

Description Itzik Brown 2016-05-11 07:41:44 UTC 
Description of problem:
After installing Openstack and Opendaylight and setting the manager for openvswitch I saw no flows for br-int and br-ex.

Looking at the audit log:

type=SYSCALL msg=audit(1461211414.684:3235): arch=c000003e syscall=42 success=no exit=-13 a0=2a a1=7ffd8138ed10 a2=10 a3=0 items=0 ppid=28063 pid=28064 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ovs-vswitchd" exe="/usr/sbin/ovs-vswitchd" subj=system_u:system_r:openvswitch_t:s0 key=(null)
type=AVC msg=audit(1461211414.684:3236): avc:  denied  { name_connect } for  pid=28064 comm="ovs-vswitchd" dest=6653 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:openvswitch_port_t:s0 tclass=tcp_socket 

It seems a new policy is required.

Version-Release number of selected component (if applicable):
RHEL7.2
selinux-policy-targeted-3.13.1-60.el7_2.3.noarch
selinux-policy-3.13.1-60.el7_2.3.noarch
ovs_version: "2.4.0"

After running semanage permissive -a openvswitch_t everything works.

How reproducible:


Steps to Reproduce:
1. Set openvswitch manager to that of the opendaylight controller:
ovs-vsctl set-manager tcp:<ODL controller>:6640
2. Verify that there are not flows on each bridge - ovs-ofctl -O OpenFlow13 dump-flows <bridge>
3.

Actual results:


Expected results:


Additional info:
Comment 1 Milos Malik 2016-05-11 07:58:41 UTC 
Based on "success=no exit=-13", the SELinux denial appeared in enforcing mode. Are there any other SELinux denials in the audit.log file after you switched the domain to permissive?

# ausearch -m avc -m user_avc -m selinux_err -i -ts today
Comment 4 Itzik Brown 2016-05-15 08:34:52 UTC 
I tried again and without setting to permissive I see now the flows but there is still AVC denied:

# ausearch -m avc -m user_avc -m selinux_err -i -ts today
----
type=USER_AVC msg=audit(05/15/2016 03:32:38.619:796) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(05/15/2016 03:35:26.818:2461) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=3)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(05/15/2016 03:35:26.818:2462) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=4)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(05/15/2016 03:35:26.818:2463) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=5)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(05/15/2016 03:35:26.818:2464) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=6)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(05/15/2016 03:35:30.009:2499) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=7)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(05/15/2016 03:35:30.009:2500) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=8)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(05/15/2016 03:35:30.009:2501) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=9)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(05/15/2016 03:35:30.009:2502) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=10)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(05/15/2016 03:35:30.009:2503) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=11)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(05/15/2016 03:35:30.009:2504) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=12)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(05/15/2016 03:43:17.382:6966) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=13)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=SYSCALL msg=audit(05/15/2016 03:43:38.780:7184) : arch=x86_64 syscall=connect success=no exit=-115(Operation now in progress) a0=0x22 a1=0x7ffc31a1ed10 a2=0x10 a3=0x0 items=0 ppid=6482 pid=6483 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ovs-vswitchd exe=/usr/sbin/ovs-vswitchd subj=system_u:system_r:openvswitch_t:s0 key=(null) 
type=AVC msg=audit(05/15/2016 03:43:38.780:7184) : avc:  denied  { name_connect } for  pid=6483 comm=ovs-vswitchd dest=6653 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:openvswitch_port_t:s0 tclass=tcp_socket 
----
type=SYSCALL msg=audit(05/15/2016 04:18:18.760:9335) : arch=x86_64 syscall=connect success=no exit=-115(Operation now in progress) a0=0x22 a1=0x7ffc76a70fd0 a2=0x10 a3=0x0 items=0 ppid=16084 pid=16085 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ovs-vswitchd exe=/usr/sbin/ovs-vswitchd subj=system_u:system_r:openvswitch_t:s0 key=(null) 
type=AVC msg=audit(05/15/2016 04:18:18.760:9335) : avc:  denied  { name_connect } for  pid=16085 comm=ovs-vswitchd dest=6653 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:openvswitch_port_t:s0 tclass=tcp_socket 
----
type=SYSCALL msg=audit(05/15/2016 04:22:43.554:9408) : arch=x86_64 syscall=connect success=no exit=-115(Operation now in progress) a0=0x22 a1=0x7ffceab12440 a2=0x10 a3=0x0 items=0 ppid=16453 pid=16454 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ovs-vswitchd exe=/usr/sbin/ovs-vswitchd subj=system_u:system_r:openvswitch_t:s0 key=(null) 
type=AVC msg=audit(05/15/2016 04:22:43.554:9408) : avc:  denied  { name_connect } for  pid=16454 comm=ovs-vswitchd dest=6653 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:openvswitch_port_t:s0 tclass=tcp_socket
Comment 6 Milos Malik 2016-05-26 16:50:35 UTC 
# seinfo --portcon=6653
	portcon tcp 6653 system_u:object_r:openvswitch_port_t:s0
	portcon tcp 6653 system_u:object_r:openflow_port_t:s0
	portcon tcp 1024-32767 system_u:object_r:unreserved_port_t:s0
	portcon udp 1024-32767 system_u:object_r:unreserved_port_t:s0
# sesearch --allow -s openvswitch_t -t openvswitch_port_t -c tcp_socket -p name_connect

# sesearch --allow -s openvswitch_t -t openflow_port_t -c tcp_socket -p name_connect
Found 1 semantic av rules:
   allow openvswitch_t openflow_port_t : tcp_socket name_connect ; 

#

Will the access be allowed?
Comment 7 Lukas Vrabec 2016-06-27 09:08:56 UTC 
No, we should change labels for ports. But this labeling is not from selinux-policy package. Do openvswitch have their own policy package?
Comment 12 errata-xmlrpc 2016-11-04 02:28:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html