Bug 1906278
Description
qding
2020-12-10 06:13:06 UTC
Please include: 1. ls -laZ /etc/ipsec.conf 2. ps aux | grep ovs 3. /var/log/audit/audit.log Reassigning to openvswitch-selinux-extra-policy Created attachment 1739625 [details] audit.log (In reply to Aaron Conole from comment #1) > Please include: > > 1. ls -laZ /etc/ipsec.conf [root@dell-per730-05 ~]# ls -laZ /etc/ipsec.conf -rw-r--r--. 1 root root system_u:object_r:ipsec_conf_file_t:s0 1557 Nov 3 09:54 /etc/ipsec.conf > 2. ps aux | grep ovs [root@dell-per730-05 ~]# ps aux | grep ovs openvsw+ 20078 0.0 0.0 77044 7728 ? S<s 07:40 0:00 ovsdb-server /etc/openvswitch/conf.db -vconsole:emer -vsyslog:err -vfile:info --remote=punix:/var/run/openvswitch/db.sock --private-key=db:Open_vSwitch,SSL,private_key --certificate=db:Open_vSwitch,SSL,certificate --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert --user openvswitch:hugetlbfs --no-chdir --log-file=/var/log/openvswitch/ovsdb-server.log --pidfile=/var/run/openvswitch/ovsdb-server.pid --detach openvsw+ 20137 0.0 0.1 92644 51504 ? S<Ls 07:40 0:00 ovs-vswitchd unix:/var/run/openvswitch/db.sock -vconsole:emer -vsyslog:err -vfile:info --mlockall --user openvswitch:hugetlbfs --no-chdir --log-file=/var/log/openvswitch/ovs-vswitchd.log --pidfile=/var/run/openvswitch/ovs-vswitchd.pid --detach root 20173 0.0 0.0 12108 1068 pts/0 S+ 07:42 0:00 grep --color=auto ovs [root@dell-per730-05 ~]# > 3. /var/log/audit/audit.log Please see the attachment audit.log Created attachment 1740111 [details]
audit log for rhel7
Package for RHEL7 has the same issue when SELinux is Enforcing.
[root@dell-per730-04 ~]# uname -r
3.10.0-1160.11.1.el7.x86_64
[root@dell-per730-04 ~]# rpm -qa | grep openvswitch
python3-openvswitch2.13-2.13.0-68.el7fdp.x86_64
openvswitch2.13-2.13.0-68.el7fdp.x86_64
openvswitch2.13-ipsec-2.13.0-68.el7fdp.x86_64
openvswitch-selinux-extra-policy-1.0-15.el7fdp.noarch
[root@dell-per730-04 ~]#
[root@dell-per730-04 ~]#
[root@dell-per730-04 ~]# ls -laZ /etc/ipsec.conf
-rw-r--r--. root root system_u:object_r:ipsec_conf_file_t:s0 /etc/ipsec.conf
[root@dell-per730-04 ~]#
[root@dell-per730-04 ~]# ps aux | grep ovs
openvsw+ 10534 0.0 0.0 60064 2780 ? S<s 22:46 0:00 ovsdb-server /etc/openvswitch/conf.db -vconsole:emer -vsyslog:err -vfile:info --remote=punix:/var/run/openvswitch/db.sock --private-key=db:Open_vSwitch,SSL,private_key --certificate=db:Open_vSwitch,SSL,certificate --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert --user openvswitch:openvswitch --no-chdir --log-file=/var/log/openvswitch/ovsdb-server.log --pidfile=/var/run/openvswitch/ovsdb-server.pid --detach
openvsw+ 10591 0.0 0.0 62572 15384 ? S<Ls 22:46 0:00 ovs-vswitchd unix:/var/run/openvswitch/db.sock -vconsole:emer -vsyslog:err -vfile:info --mlockall --user openvswitch:openvswitch --no-chdir --log-file=/var/log/openvswitch/ovs-vswitchd.log --pidfile=/var/run/openvswitch/ovs-vswitchd.pid --detach
root 11278 0.0 0.0 132120 11048 ? Ss 22:47 0:00 /usr/bin/python3 /usr/share/openvswitch/scripts/ovs-monitor-ipsec --pidfile=/var/run/openvswitch/ovs-monitor-ipsec.pid --ike-daemon=libreswan --log-file --detach --monitor unix:/var/run/openvswitch/db.sock
root 11279 0.0 0.0 132120 12264 ? S 22:47 0:00 /usr/bin/python3 /usr/share/openvswitch/scripts/ovs-monitor-ipsec --pidfile=/var/run/openvswitch/ovs-monitor-ipsec.pid --ike-daemon=libreswan --log-file --detach --monitor unix:/var/run/openvswitch/db.sock
root 11303 0.0 0.0 112812 964 pts/0 S+ 22:54 0:00 grep --color=auto ovs
[root@dell-per730-04 ~]#
[root@dell-per730-04 ~]#
[root@dell-per730-04 ~]#
Created attachment 1747309 [details]
audit log for permissive
Steps to setup as below. Please see the audit_permissive.log
[root@dell-per730-04 ~]# nmcli dev set eno1np0 managed no
[root@dell-per730-04 ~]# ip add add 192.168.123.1/24 dev eno1np0
[root@dell-per730-04 ~]# systemctl restart openvswitch
[root@dell-per730-04 ~]# systemctl restart openvswitch-ipsec
[root@dell-per730-04 ~]# ovs-vsctl add-port ovsbr0 tun123 -- set interface tun123 type=gre options:remote_ip=192.168.123.2 options:local_ip=192.168.123.1 options:psk=test123
ovs-vsctl: no bridge named ovsbr0
[root@dell-per730-04 ~]# ovs-vsctl add-br ovsbr0
[root@dell-per730-04 ~]# ovs-vsctl add-port ovsbr0 tun123 -- set interface tun123 type=gre options:remote_ip=192.168.123.2 options:local_ip=192.168.123.1 options:psk=test123
[root@dell-per730-04 ~]# ip link set ovsbr0 up
[root@dell-per730-04 ~]# ip add add 172.16.30.1/24 dev ovsbr0
[root@dell-per730-04 ~]#
[root@dell-per730-04 ~]# ip add l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 14:18:77:35:5b:1b brd ff:ff:ff:ff:ff:ff
inet 10.73.88.41/23 brd 10.73.89.255 scope global dynamic noprefixroute eno1
valid_lft 42450sec preferred_lft 42450sec
inet6 2620:52:0:4958:1618:77ff:fe35:5b1b/64 scope global dynamic noprefixroute
valid_lft 2591901sec preferred_lft 604701sec
inet6 fe80::1618:77ff:fe35:5b1b/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: eno2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
link/ether 14:18:77:35:5b:1c brd ff:ff:ff:ff:ff:ff
4: eno3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
link/ether 14:18:77:35:5b:1d brd ff:ff:ff:ff:ff:ff
5: enp5s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether a0:36:9f:ab:35:64 brd ff:ff:ff:ff:ff:ff
6: eno4: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
link/ether 14:18:77:35:5b:1e brd ff:ff:ff:ff:ff:ff
7: enp5s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether a0:36:9f:ab:35:66 brd ff:ff:ff:ff:ff:ff
8: eno1np0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:15:4d:12:2d:ac brd ff:ff:ff:ff:ff:ff
inet 192.168.123.1/24 scope global eno1np0
valid_lft forever preferred_lft forever
9: eno1np1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:15:4d:12:2d:ad brd ff:ff:ff:ff:ff:ff
10: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
11: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether b6:62:d2:aa:84:60 brd ff:ff:ff:ff:ff:ff
12: ovsbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
link/ether 0a:e7:01:12:50:4d brd ff:ff:ff:ff:ff:ff
inet 172.16.30.1/24 scope global ovsbr0
valid_lft forever preferred_lft forever
inet6 fe80::8e7:1ff:fe12:504d/64 scope link
valid_lft forever preferred_lft forever
13: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1000
link/gre 0.0.0.0 brd 0.0.0.0
14: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
15: erspan0@NONE: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN group default qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
16: gre_sys@NONE: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc fq_codel master ovs-system state UNKNOWN group default qlen 1000
link/ether b6:7d:6b:a4:1c:fe brd ff:ff:ff:ff:ff:ff
inet6 fe80::b47d:6bff:fea4:1cfe/64 scope link
valid_lft forever preferred_lft forever
[root@dell-per730-04 ~]# cat /etc/ipsec.conf
# Generated by ovs-monitor-ipsec...do not modify by hand!
config setup
uniqueids=yes
conn %default
keyingtries=%forever
type=transport
auto=route
ike=aes_gcm256-sha2_256
esp=aes_gcm256
ikev2=insist
conn tun123-1
left=192.168.123.1
right=192.168.123.2
authby=secret
leftprotoport=gre
rightprotoport=gre
[root@dell-per730-04 ~]# ovs-vsctl show
3f83e055-0f31-4935-b05e-ba82261dd80c
Bridge ovsbr0
Port ovsbr0
Interface ovsbr0
type: internal
Port tun123
Interface tun123
type: gre
options: {local_ip="192.168.123.1", psk=test123, remote_ip="192.168.123.2"}
ovs_version: "2.13.2"
[root@dell-per730-04 ~]#
Created attachment 1747702 [details]
audit log for self signed certificate
Created attachment 1747703 [details]
audit log for CA signed certificate
Latest build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=34299607 It will resolve all but one class of AVCs. The class to which I'm refering: type=AVC msg=audit(1610697438.686:243): avc: denied { read } for pid=24057 comm="openssl" name="h1-cert.pem" dev="dm-0" ino=134568189 scontext=system_u:system_r:openvswitch_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1 This AVC is stating that you want the policy to allow openvswitch_t to read /root but we don't give such access to the openvswitch_t domain. Can you update your steps to include placing the psk into /tmp or somewhere that would be a more likely production location? I think it's inappropriate for /root to be accessible to the openvswitch domain. Created attachment 1748383 [details]
audit_self_signed_1.log
With openvswitch-selinux-extra-policy-1.0-26.el8fdp.noarch, self-signed certificate and CA-signed mode still don't work. Please see the attached log for self-signed certificate mode and the trace below.
[root@dell-per730-04 ipsec]# tcpdump -nnev -i eno1np0 -c1
dropped privs to tcpdump
tcpdump: listening on eno1np0, link-type EN10MB (Ethernet), capture size 262144 bytes
02:57:15.955803 00:15:4d:12:2d:ac > 3c:fd:fe:bb:1b:6c, ethertype IPv4 (0x0800), length 136: (tos 0x0, ttl 64, id 25011, offset 0, flags [DF], proto GRE (47), length 122)
192.168.123.1 > 192.168.123.2: GREv0, Flags [none], proto TEB (0x6558), length 102
26:57:a3:07:c3:46 > 62:0c:8d:ca:2a:41, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 56144, offset 0, flags [DF], proto ICMP (1), length 84)
172.16.123.1 > 172.16.123.2: ICMP echo request, id 44620, seq 7, length 64
1 packet captured
2 packets received by filter
0 packets dropped by kernel
[root@dell-per730-04 ipsec]# tcpdump -nnev -i eno1np0 -c1 esp
dropped privs to tcpdump
tcpdump: listening on eno1np0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
[root@dell-per730-04 ipsec]#
[root@dell-per730-04 ipsec]# setenforce permissive
[root@dell-per730-04 ipsec]# tcpdump -nnev -i eno1np0 -c1 esp
dropped privs to tcpdump
tcpdump: listening on eno1np0, link-type EN10MB (Ethernet), capture size 262144 bytes
02:57:50.771791 00:15:4d:12:2d:ac > 3c:fd:fe:bb:1b:6c, ethertype IPv4 (0x0800), length 170: (tos 0x0, ttl 64, id 42000, offset 0, flags [DF], proto ESP (50), length 156)
192.168.123.1 > 192.168.123.2: ESP(spi=0xf8075f7d,seq=0x4), length 136
1 packet captured
2 packets received by filter
0 packets dropped by kernel
[root@dell-per730-04 ipsec]# setenforce enforcing
[root@dell-per730-04 ipsec]# getenforce
Enforcing
[root@dell-per730-04 ipsec]# tcpdump -nnev -i eno1np0 -c1 esp
dropped privs to tcpdump
tcpdump: listening on eno1np0, link-type EN10MB (Ethernet), capture size 262144 bytes
02:59:21.907810 00:15:4d:12:2d:ac > 3c:fd:fe:bb:1b:6c, ethertype IPv4 (0x0800), length 170: (tos 0x0, ttl 64, id 28057, offset 0, flags [DF], proto ESP (50), length 156)
192.168.123.1 > 192.168.123.2: ESP(spi=0xf8075f7d,seq=0x62), length 136
1 packet captured
1 packet received by filter
0 packets dropped by kernel
[root@dell-per730-04 ipsec]#
For self-signed certificate mode, after setenforce to permissive ESP can be tcpdumped, but for CA-signed certificate, systemctl restart openvswitch-ipsec is needed before ESP can be seen. Please see the trace below. [root@dell-per730-04 ~]# tcpdump -nnev -i eno1np0 esp dropped privs to tcpdump tcpdump: listening on eno1np0, link-type EN10MB (Ethernet), capture size 262144 bytes ^C 0 packets captured 0 packets received by filter 0 packets dropped by kernel [root@dell-per730-04 ~]# tcpdump -nnev -i eno1np0 -c 1 dropped privs to tcpdump tcpdump: listening on eno1np0, link-type EN10MB (Ethernet), capture size 262144 bytes 03:31:03.731803 00:15:4d:12:2d:ac > 3c:fd:fe:bb:1b:6c, ethertype IPv4 (0x0800), length 136: (tos 0x0, ttl 64, id 47503, offset 0, flags [DF], proto GRE (47), length 122) 192.168.123.1 > 192.168.123.2: GREv0, Flags [none], proto TEB (0x6558), length 102 72:22:cd:fd:e8:49 > c6:3c:b5:e8:b3:40, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 11072, offset 0, flags [DF], proto ICMP (1), length 84) 172.16.123.1 > 172.16.123.2: ICMP echo request, id 7447, seq 12, length 64 1 packet captured 2 packets received by filter 0 packets dropped by kernel [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# setenforce permissive [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# tcpdump -nnev -i eno1np0 -c 1 dropped privs to tcpdump tcpdump: listening on eno1np0, link-type EN10MB (Ethernet), capture size 262144 bytes 03:31:23.187763 00:15:4d:12:2d:ac > 3c:fd:fe:bb:1b:6c, ethertype IPv4 (0x0800), length 136: (tos 0x0, ttl 64, id 58636, offset 0, flags [DF], proto GRE (47), length 122) 192.168.123.1 > 192.168.123.2: GREv0, Flags [none], proto TEB (0x6558), length 102 72:22:cd:fd:e8:49 > c6:3c:b5:e8:b3:40, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 18912, offset 0, flags [DF], proto ICMP (1), length 84) 172.16.123.1 > 172.16.123.2: ICMP echo request, id 7447, seq 31, length 64 1 packet captured 2 packets received by filter 0 packets dropped by kernel [root@dell-per730-04 ~]# tcpdump -nnev -i eno1np0 esp dropped privs to tcpdump tcpdump: listening on eno1np0, link-type EN10MB (Ethernet), capture size 262144 bytes ^C 0 packets captured 0 packets received by filter 0 packets dropped by kernel [root@dell-per730-04 ~]# systemctl restart openvswitch-ipsec [root@dell-per730-04 ~]# [root@dell-per730-04 ~]# tcpdump -nnev -i eno1np0 esp dropped privs to tcpdump tcpdump: listening on eno1np0, link-type EN10MB (Ethernet), capture size 262144 bytes 03:32:03.123771 00:15:4d:12:2d:ac > 3c:fd:fe:bb:1b:6c, ethertype IPv4 (0x0800), length 170: (tos 0x0, ttl 64, id 11364, offset 0, flags [DF], proto ESP (50), length 156) 192.168.123.1 > 192.168.123.2: ESP(spi=0xfb490a60,seq=0x9), length 136 03:32:03.123973 3c:fd:fe:bb:1b:6c > 00:15:4d:12:2d:ac, ethertype IPv4 (0x0800), length 170: (tos 0x0, ttl 64, id 40643, offset 0, flags [DF], proto ESP (50), length 156) 192.168.123.2 > 192.168.123.1: ESP(spi=0x243d5d94,seq=0x9), length 136 03:32:04.147794 00:15:4d:12:2d:ac > 3c:fd:fe:bb:1b:6c, ethertype IPv4 (0x0800), length 170: (tos 0x0, ttl 64, id 12291, offset 0, flags [DF], proto ESP (50), length 156) 192.168.123.1 > 192.168.123.2: ESP(spi=0xfb490a60,seq=0xa), length 136 03:32:04.147945 3c:fd:fe:bb:1b:6c > 00:15:4d:12:2d:ac, ethertype IPv4 (0x0800), length 170: (tos 0x0, ttl 64, id 41139, offset 0, flags [DF], proto ESP (50), length 156) 192.168.123.2 > 192.168.123.1: ESP(spi=0x243d5d94,seq=0xa), length 136 ^C 4 packets captured 4 packets received by filter 0 packets dropped by kernel [root@dell-per730-04 ~]# Created attachment 1748615 [details]
audit log for self signed certificate with openvswitch-selinux-extra-policy-1.0-26.el8fdp
Created attachment 1748616 [details]
audit log for CA signed certificate with openvswitch-selinux-extra-policy-1.0-26.el8fdp
Created attachment 1748913 [details] audit log for self signed certificate with openvswitch-selinux-extra-policy-1.0-27.el8fdp (In reply to Aaron Conole from comment #27) > https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=34369487 > > This build should resolve the perf_event issue. The build still has issue. Please see the attached audit_27.log. Thanks. Created attachment 1748921 [details] audit log for 27 with permissive The attachment in comment#28 is for selinux enforcing. This one is for selinux permissive. Thanks. [root@dell-per730-04 ipsec]# rpm -qa | grep selin selinux-policy-targeted-3.14.3-60.el8.noarch libselinux-2.9-5.el8.x86_64 selinux-policy-3.14.3-60.el8.noarch python3-libselinux-2.9-5.el8.x86_64 libselinux-utils-2.9-5.el8.x86_64 openvswitch-selinux-extra-policy-1.0-27.el8fdp.noarch rpm-plugin-selinux-4.14.3-4.el8.x86_64 [root@dell-per730-04 ipsec]# [root@dell-per730-04 ipsec]# rpm -qa | grep openvswitch python3-openvswitch2.13-2.13.0-79.el8fdp.x86_64 openvswitch2.13-ipsec-2.13.0-79.el8fdp.x86_64 openvswitch-selinux-extra-policy-1.0-27.el8fdp.noarch openvswitch2.13-2.13.0-79.el8fdp.x86_64 kernel-kernel-networking-openvswitch-ipsec-1.0-7.noarch [root@dell-per730-04 ipsec]# [root@dell-per730-04 ipsec]# uname -a Linux dell-per730-04.rhts.eng.pek2.redhat.com 4.18.0-275.el8.x86_64 #1 SMP Sat Jan 16 07:11:30 EST 2021 x86_64 x86_64 x86_64 GNU/Linux [root@dell-per730-04 ipsec]# With selinux Enforcing, RHEL-8.3.0-updates-20201210.2 doesn't work for self-signed and CA-signed certificate modes either. [root@dell-per730-04 ipsec]# uname -r 4.18.0-240.8.1.el8_3.x86_64 With selinux Enforcing, RHEL-8.3.0 doesn't work for self-signed and CA-signed certificate modes either. [root@dell-per730-04 ~]# rpm -qa | grep selinux selinux-policy-3.14.3-54.el8.noarch libselinux-2.9-3.el8.x86_64 libselinux-utils-2.9-3.el8.x86_64 rpm-plugin-selinux-4.14.3-4.el8.x86_64 selinux-policy-targeted-3.14.3-54.el8.noarch python3-libselinux-2.9-3.el8.x86_64 openvswitch-selinux-extra-policy-1.0-26.el8fdp.noarch [root@dell-per730-04 ~]# uname -r 4.18.0-240.el8.x86_64 [root@dell-per730-04 ~]# The only selinux issue is: 05:53:19 aconole@dhcp-25 {fast-datapath-rhel-8} ~/rhpkg/openvswitch-selinux-extra-policy$ grep AVC /tmp/mozilla_aconole0/audit_27_permissive.log type=USER_AVC msg=audit(1611110562.329:321): pid=1636 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received setenforce notice (enforcing=0) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" No other AVCs logged, and that is a user-emitted AVC. What errors are you getting now? (In reply to Aaron Conole from comment #32) > The only selinux issue is: > > 05:53:19 aconole@dhcp-25 {fast-datapath-rhel-8} > ~/rhpkg/openvswitch-selinux-extra-policy$ grep AVC > /tmp/mozilla_aconole0/audit_27_permissive.log > type=USER_AVC msg=audit(1611110562.329:321): pid=1636 uid=81 auid=4294967295 > ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 > msg='avc: received setenforce notice (enforcing=0) > exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" > AUID="unset" SAUID="dbus" > > No other AVCs logged, and that is a user-emitted AVC. > > What errors are you getting now? With SELinux Enforcing, no IPsec ESP can be seen in the packets through the tunnel. I'm not sure if the messages below from /var/log/audit/audit.log are related. [root@dell-per730-04 ipsec]# cat /var/log/audit/audit.log | grep ipsec type=SERVICE_STOP msg=audit(1611225712.678:1066): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=openvswitch-ipsec comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=SERVICE_STOP msg=audit(1611225718.234:1074): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipsec comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=MAC_IPSEC_EVENT msg=audit(1611225718.606:1075): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225718.606:1075): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffd6f01ce40 a2=b8 a3=7f0ddddad9a0 items=0 ppid=1 pid=58527 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=MAC_IPSEC_EVENT msg=audit(1611225718.606:1076): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225718.606:1076): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffd6f01ce40 a2=b8 a3=0 items=0 ppid=1 pid=58527 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=MAC_IPSEC_EVENT msg=audit(1611225718.606:1077): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225718.606:1077): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffd6f01ce40 a2=b8 a3=0 items=0 ppid=1 pid=58527 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=MAC_IPSEC_EVENT msg=audit(1611225718.606:1078): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225718.606:1078): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffd6f01ce40 a2=b8 a3=0 items=0 ppid=1 pid=58527 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=MAC_IPSEC_EVENT msg=audit(1611225718.606:1079): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225718.606:1079): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffd6f01ce40 a2=b8 a3=0 items=0 ppid=1 pid=58527 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=MAC_IPSEC_EVENT msg=audit(1611225718.606:1080): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225718.606:1080): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffd6f01ce40 a2=b8 a3=0 items=0 ppid=1 pid=58527 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=SERVICE_START msg=audit(1611225718.607:1081): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipsec comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=SERVICE_START msg=audit(1611225718.632:1082): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=openvswitch-ipsec comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=SERVICE_STOP msg=audit(1611225723.664:1084): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipsec comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=MAC_IPSEC_EVENT msg=audit(1611225724.027:1085): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225724.027:1085): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe3f70dcc0 a2=b8 a3=7f06f998e9a0 items=0 ppid=1 pid=58880 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=MAC_IPSEC_EVENT msg=audit(1611225724.027:1086): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225724.027:1086): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe3f70dcc0 a2=b8 a3=0 items=0 ppid=1 pid=58880 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=MAC_IPSEC_EVENT msg=audit(1611225724.027:1087): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225724.027:1087): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe3f70dcc0 a2=b8 a3=0 items=0 ppid=1 pid=58880 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=MAC_IPSEC_EVENT msg=audit(1611225724.027:1088): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225724.027:1088): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe3f70dcc0 a2=b8 a3=0 items=0 ppid=1 pid=58880 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=MAC_IPSEC_EVENT msg=audit(1611225724.027:1089): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225724.027:1089): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe3f70dcc0 a2=b8 a3=0 items=0 ppid=1 pid=58880 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=MAC_IPSEC_EVENT msg=audit(1611225724.027:1090): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225724.027:1090): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe3f70dcc0 a2=b8 a3=0 items=0 ppid=1 pid=58880 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=SERVICE_START msg=audit(1611225724.028:1091): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipsec comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=SERVICE_STOP msg=audit(1611225850.286:1096): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipsec comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=MAC_IPSEC_EVENT msg=audit(1611225850.670:1097): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225850.670:1097): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe508162f0 a2=b8 a3=7f783e0779a0 items=0 ppid=1 pid=65604 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=MAC_IPSEC_EVENT msg=audit(1611225850.671:1098): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225850.671:1098): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe508162f0 a2=b8 a3=0 items=0 ppid=1 pid=65604 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=MAC_IPSEC_EVENT msg=audit(1611225850.671:1099): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225850.671:1099): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe508162f0 a2=b8 a3=0 items=0 ppid=1 pid=65604 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=MAC_IPSEC_EVENT msg=audit(1611225850.671:1100): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225850.671:1100): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe508162f0 a2=b8 a3=0 items=0 ppid=1 pid=65604 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=MAC_IPSEC_EVENT msg=audit(1611225850.671:1101): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225850.671:1101): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe508162f0 a2=b8 a3=0 items=0 ppid=1 pid=65604 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=MAC_IPSEC_EVENT msg=audit(1611225850.671:1102): op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0000:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=0 dst=0000:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=0AUID="unset" type=SYSCALL msg=audit(1611225850.671:1102): arch=c000003e syscall=1 success=yes exit=184 a0=f a1=7ffe508162f0 a2=b8 a3=0 items=0 ppid=1 pid=65604 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=system_u:system_r:ipsec_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=SERVICE_START msg=audit(1611225850.671:1103): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipsec comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" [root@dell-per730-04 ipsec]# Please include the following information: ls -lahZ /path/to/keyfiles/* and /var/log/openvswitch/ovs-monitor-ipsec.log I found that I could reproduce similar behavior to you, where there aren't any audited issues, but that is due to the selinux label of the key files. We probably need to document what those labels should be, but since they are user supplied, we cannot enforce a specific label scheme. Created attachment 1749600 [details] ovs-monitor-ipsec.log (In reply to Aaron Conole from comment #34) > Please include the following information: > > ls -lahZ /path/to/keyfiles/* [root@dell-per730-04 ipsec]# ls -lahZ /tmp/keys/* -rw-------. 1 root root unconfined_u:object_r:user_tmp_t:s0 4.2K Jan 21 20:37 /tmp/keys/h1-cert.pem -rw-------. 1 root root unconfined_u:object_r:user_tmp_t:s0 1.7K Jan 21 20:37 /tmp/keys/h1-privkey.pem -rw-------. 1 root root unconfined_u:object_r:user_tmp_t:s0 3.6K Jan 21 20:37 /tmp/keys/h1-req.pem -rw-------. 1 root root unconfined_u:object_r:user_tmp_t:s0 4.2K Jan 21 20:37 /tmp/keys/h2-cert.pem -rw-------. 1 root root unconfined_u:object_r:user_tmp_t:s0 1.7K Jan 21 20:37 /tmp/keys/h2-privkey.pem -rw-------. 1 root root unconfined_u:object_r:user_tmp_t:s0 3.6K Jan 21 20:37 /tmp/keys/h2-req.pem [root@dell-per730-04 ipsec]# > > and /var/log/openvswitch/ovs-monitor-ipsec.log Please see the attachment ovs-monitor-ipsec.log > > I found that I could reproduce similar behavior to > you, where there aren't any audited issues, but that > is due to the selinux label of the key files. > > We probably need to document what those labels > should be, but since they are user supplied, we cannot > enforce a specific label scheme. Thanks Try making the change to your key file area: chcon -R -t ipsec_key_file_t /tmp/keys This will label your key files with the expected labels. I see from the logs: 2021-01-22T01:41:35.376Z | 66 | ovs-monitor-ipsec | WARN | b"Can't open /tmp/keys/h1-cert.pem for reading, Permission denied\n139991330424640:error:0200100D:system library:fopen:Permission denied:crypto/bio/bss_file.c:69:fopen('/tmp/keys/h1-cert.pem','r')\n139991330424640:error:2006D002:BIO routines:BIO_new_file:system lib:crypto/bio/bss_file.c:78:\nunable to load certificate\n" which may be a suppressed MAC control error w.r.t. the user_tmp_t label. (In reply to Aaron Conole from comment #36) > Try making the change to your key file area: > > chcon -R -t ipsec_key_file_t /tmp/keys > > This will label your key files with the expected labels. > The solution solves the issue. And currently all three modes work well. Thank you. Beaker job: https://beaker.engineering.redhat.com/jobs/5022051 Created attachment 1751885 [details]
Audit logs for AVC when running ovs-appctl
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (openvswitch-selinux-extra-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:0405 |