Bug 1500122

Summary: ovsdb-server fails to start with OVS-2.8.1 with AVC denial
Product: [Fedora] Fedora Reporter: Alan Pevec <apevec>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 27CC: aconole, amoralej, apevec, dwalsh, lhh, lsm5, lvrabec, mgrepl, oblaut, plautrba, pmoore, rbryant, srevivo, tredaelli
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-283.14.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1498797 Environment:
Last Closed: 2017-10-31 15:33:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1498797    
Bug Blocks:    

Description Alan Pevec 2017-10-10 00:32:57 UTC
+++ This bug was initially created as a clone of Bug #1498797 +++

Description of problem:

openvswitch-2.8 fails to start with SELinux enforcing

Version-Release number of selected component (if applicable):
  selinux-policy-3.13.1-283.5.fc27.noarch
  openvswitch-2.8.1-1.fc27.x86_64

Steps to Reproduce:

# dnf install https://kojipkgs.fedoraproject.org//packages/openvswitch/2.8.1/1.fc27/x86_64/openvswitch-2.8.1-1.fc27.x86_64.rpm
# systemctl start ovsdb-server


Actual results:

ovsdb-server fails to start when SELinux is enforcing, on the first denied AVC.
Full list of AVCs w/ SELinux permissive is below [*]
NB this is just service start, there might be more in actual operation!

[*]
type=AVC msg=audit(1507594742.843:184): avc:  denied  { create } for  pid=1424 comm="runuser" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1507594742.843:185): avc:  denied  { nlmsg_relay } for  pid=1424 comm="runuser" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1507594742.844:186): avc:  denied  { audit_write } for  pid=1424 comm="runuser" capability=29 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=1

type=AVC msg=audit(1507594743.049:195): avc:  denied  { dac_override } for pid=1431 comm="ovs-vsctl" capability=1 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=1

Comment 1 Alan Pevec 2017-10-10 23:06:23 UTC
https://github.com/fedora-selinux/selinux-policy-contrib/pull/32

Thanks Lon!

Comment 5 Fedora Update System 2017-10-25 10:10:36 UTC
selinux-policy-3.13.1-283.13.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-b5e9ce60d2

Comment 6 Fedora Update System 2017-10-27 18:44:28 UTC
selinux-policy-3.13.1-283.14.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-b5e9ce60d2

Comment 7 Fedora Update System 2017-10-31 15:33:52 UTC
selinux-policy-3.13.1-283.14.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.