Bug 1448887

Summary: ovs-vsctl AVCs in logs (no functional issues)
Product: Red Hat OpenStack Reporter: Lon Hohberger <lhh>
Component: openstack-selinuxAssignee: Lon Hohberger <lhh>
Status: CLOSED ERRATA QA Contact: Udi Shkalim <ushkalim>
Severity: low Docs Contact:
Priority: low    
Version: 11.0 (Ocata)CC: jschluet, lhh, mgrepl, rhallise, srevivo
Target Milestone: z2Keywords: Triaged, ZStream
Target Release: 11.0 (Ocata)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-selinux-0.8.9-0.1.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-13 21:50:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lon Hohberger 2017-05-08 13:53:29 UTC 
Description of problem:

AVCs appear in the logs related to ovs-vsctl when run with OpenStack.  This only occurs with OpenVSWitch 2.6.0 and later:

https://github.com/openvswitch/ovs/blob/15931827ee9198edf84861c0e30f6d20cd04fd83/utilities/ovs-vsctl.c#L2504

The 2.5.1 code did not do this:

https://github.com/openvswitch/ovs/blob/3443a502269510cf3de9d8b707e17392047626b9/utilities/ovs-vsctl.c

Note however that the only functional thing that occurs is ovs-vsctl reads /proc/$PPID/cmdline in order to print largely what amounts to debugging information in to the logs.

Version-Release number of selected component (if applicable):

openstack-selinux 0.8.6
openvswitch 2.6.0+


How reproducible: 100%
Comment 1 Lon Hohberger 2017-05-08 13:55:37 UTC 
The AVC looks like:

type=AVC msg=audit(1494056788.547:1389): avc:  denied  { read } for  pid=88096 comm="ovs-vsctl" name="cmdline" dev="proc" ino=250022 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=file


Since this is debugging information primarily, I recommend dontaudit, since giving OVS blanket access to read all of neutron_t is not worth it:

dontaudit openvswitch_t neutron_t:file read;


However, this could mask other problems in the future (if for example OVS really _did_ need to read all of neutron_t files).
Comment 2 Lon Hohberger 2017-05-08 19:19:19 UTC 
https://github.com/redhat-openstack/openstack-selinux/commit/b00b11d95f4a5c9a24271f4d9f6d6d2b0687ccf4
Comment 3 Lon Hohberger 2017-05-16 20:40:30 UTC 
Needs open and getattr too. :/
Comment 4 Lon Hohberger 2017-05-22 21:52:51 UTC 
https://github.com/redhat-openstack/openstack-selinux/commit/d47d5cd55bd758298e5589d54f9835eae6c13f99
Comment 10 errata-xmlrpc 2017-09-13 21:50:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2722