Bug 1778793

So after some more digging:
this issue isn't related to OpenStack itself. It's when you run "systemctl start openvswitch". It tried to change /run/openswitch context, passing from system_u:object_r:openvswitch_var_run_t to system_u:system_r:openvswitch_t.

Apparently fcontext has a rule ensuring /var/run/openvswitch (=== /run/openvswitch) has "object_r", per this patch:
https://github.com/fedora-selinux/selinux-policy-contrib/commit/889a9bf63b#diff-12d4f2f44da10b59ed4611b810a6d56bR13

I've re-tried to cleanup + start openvswitch on a SELinux enforcing system, and the daemons did start as expected - just one AVC is listed (first one, fowner thing).

So I'm wondering: what's the best thing to do?
1- update the fcontext in selinux-policy-contrib
2- allow the change (add a simple policy in openstack-selinux)
3- allow the change (add a simple policy in selinux-policy)
4- ignore that entry from the audit.log (dontaudit or something)

No idea who we can ask... ?

(In reply to Cédric Jeanneret from comment #1)
> So I'm wondering: what's the best thing to do?
> 1- update the fcontext in selinux-policy-contrib

I doubt this would be an acceptable solution, as this would be backwards-incompatible and probably break other things.

> 2- allow the change (add a simple policy in openstack-selinux)
> 3- allow the change (add a simple policy in selinux-policy)
> 4- ignore that entry from the audit.log (dontaudit or something)
> 
> No idea who we can ask... ?

Aaron, I am wondering if you would have an idea about these fowner/fsetid AVC denials coming up on openvswitch install/start?

> install -d -m 755 -o openvswitch -g hugetlbfs /var/run/openvswitch

I'm not sure what causes these.  What version of OvS is being used?  I think it depends on what is generating the /var/run/openvswitch directory (if that directory doesn't exist, then the startup script creates it, but this might require additional permissions).

Hi Cédric! Would you be able to answer Aaron's questions about OvS version?

Hello there,

Currently working on something else - can't get my reproducer up until it's over. Hopefully I'll be able to provide some more info by next week. Sorry for the delay :/.

Hello there,

So, here are the info - on a "master" deploy on Centos-7:
python-openvswitch-2.12.0-1.el7.x86_64
openvswitch-2.12.0-1.el7.x86_64

Would that be enough info, or do you need some other package versions?

Cheers,

C.

Small update:
- the package is installed far, far before anything is done with containers|configuration
- it was done on a clean VM, meaning no rest of previous manipulation
- at least in the t-h-t, nothing is actually creating the directory - we only bind-mount it within different containers

Thanks for the extra info, everyone.

I can see this permission was added to the downstream openvswitch policy with bug 1759695 so it sounds like we need this too. Aaron, could I just confirm if https://pagure.io/openvswitch-selinux-policy/ is usually the correct upstream for openvswitch-selinux-extra-policy? Thank you.

Thank you!

[root@rhel8 ~]# cat /usr/share/openstack-selinux/0.8.20/tests/bz1778793
type=AVC msg=audit(12/02/2019 13:32:12.703:5794) : avc:  denied  { fsetid } for  pid=3137 comm=install capability=fsetid  scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=1
type=AVC msg=audit(12/02/2019 13:32:12.703:5794) : avc:  denied  { fowner } for  pid=3137 comm=install capability=fowner  scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=1
[root@rhel8 ~]# /usr/share/openstack-selinux/0.8.20/tests/check_all 
Results: 832 total, 0 failed
Overall result: PASS

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0657