+++ This bug was initially created as a clone of Bug #1498797 +++
Description of problem:
openvswitch-2.8 fails to start with SELinux enforcing
Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-283.5.fc27.noarch
openvswitch-2.8.1-1.fc27.x86_64
Steps to Reproduce:
# dnf install https://kojipkgs.fedoraproject.org//packages/openvswitch/2.8.1/1.fc27/x86_64/openvswitch-2.8.1-1.fc27.x86_64.rpm
# systemctl start ovsdb-server
Actual results:
ovsdb-server fails to start when SELinux is enforcing, on the first denied AVC.
Full list of AVCs w/ SELinux permissive is below [*]
NB this is just service start, there might be more in actual operation!
[*]
type=AVC msg=audit(1507594742.843:184): avc: denied { create } for pid=1424 comm="runuser" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1507594742.843:185): avc: denied { nlmsg_relay } for pid=1424 comm="runuser" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1507594742.844:186): avc: denied { audit_write } for pid=1424 comm="runuser" capability=29 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1507594743.049:195): avc: denied { dac_override } for pid=1431 comm="ovs-vsctl" capability=1 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=1
Comment 7Fedora Update System
2017-10-31 15:33:52 UTC
selinux-policy-3.13.1-283.14.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.