Bug 2100965

Summary: [BLOCKED BY BZ2081636 and backport RHEL 8.6.z EUS] ovs-appctl selinux denials in ovirt-engine-4.5.0.7-0.9.el8ev
Product: Red Hat Enterprise Virtualization Manager Reporter: Robert McSwain <rmcswain>
Component: rhv-securityAssignee: eraviv
Status: CLOSED DEFERRED QA Contact: msheena
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.4.9CC: amusil, jortialc, mburman, mperina, paulds
Target Milestone: ---Keywords: TestOnly
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 2102567 (view as bug list) Environment:
Last Closed: 2023-07-17 07:47:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Network RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2081636, 2102567    
Bug Blocks:    

Description Robert McSwain 2022-06-24 19:39:35 UTC 
Following our recent upgrade to ovirt-engine-4.5.0.7-0.9.el8ev and subsequent reboot of our self-hosted engine VM, we began noticing the following selinux denials in the logs:

Jun  3 03:27:04 cs-hcim ovs-appctl[162049]: ovs|00001|unixctl|WARN|failed to connect to /var/run/ovn/ovnnb_db.ctl
Jun  3 03:27:04 cs-hcim ovs-appctl[162050]: ovs|00001|unixctl|WARN|failed to connect to /var/run/ovn/ovn-northd.1186.ctl
Jun  3 03:27:04 cs-hcim ovs-appctl[162051]: ovs|00001|unixctl|WARN|failed to connect to /var/run/ovn/ovnsb_db.ctl
Jun  3 03:27:07 cs-hcim setroubleshoot[162053]: SELinux is preventing /usr/bin/ovs-appctl from write access on the sock_file ovnnb_db.ctl. For complete SELinux messages run: sealert -l 7c35e71f-4bcd-4460-91e4-5bacfe20e8d1
Jun  3 03:27:09 cs-hcim setroubleshoot[162053]: SELinux is preventing /usr/bin/ovs-appctl from write access on the sock_file ovn-northd.1186.ctl. For complete SELinux messages run: sealert -l 7c35e71f-4bcd-4460-91e4-5bacfe20e8d1
Jun  3 03:27:23 cs-hcim setroubleshoot[162106]: SELinux is preventing /usr/bin/ovs-appctl from write access on the sock_file ovnsb_db.ctl. For complete SELinux messages run: sealert -l 7c35e71f-4bcd-4460-91e4-5bacfe20e8d1

[root@cs-hcim ~]# sealert -l 7c35e71f-4bcd-4460-91e4-5bacfe20e8d1
SELinux is preventing /usr/bin/ovs-appctl from write access on the sock_file ovnsb_db.ctl.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that ovs-appctl should be allowed write access on the ovnsb_db.ctl sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ovs-appctl' --raw | audit2allow -M my-ovsappctl
# semodule -X 300 -i my-ovsappctl.pp


Additional Information:
Source Context                system_u:system_r:openvswitch_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_run_t:s0
Target Objects                ovnsb_db.ctl [ sock_file ]
Source                        ovs-appctl
Source Path                   /usr/bin/ovs-appctl
Port                          <Unknown>
Host                          cs-hcim.bu.edu
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.3-95.el8.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-95.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     cs-hcim.bu.edu
Platform                      Linux cs-hcim.bu.edu 4.18.0-372.9.1.el8.x86_64 #1
                              SMP Fri Apr 15 22:12:19 EDT 2022 x86_64 x86_64
Alert Count                   6
First Seen                    2022-06-02 03:36:05 EDT
Last Seen                     2022-06-03 03:27:04 EDT
Local ID                      7c35e71f-4bcd-4460-91e4-5bacfe20e8d1

Raw Audit Messages
type=AVC msg=audit(1654241224.946:1422): avc:  denied  { write } for  pid=162051 comm="ovs-appctl" name="ovnsb_db.ctl" dev="tmpfs" ino=29851 scontext=system_u:system_r:openvswitch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0


Hash: ovs-appctl,openvswitch_t,var_run_t,sock_file,write

All of the target files mentioned appear to reside in /run/ovn:

[root@cs-hcim ~]# ls -lZ /run/ovn/
total 12
srwxr-x---. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 0 May 31 12:16 ovn-northd.1186.ctl
-rw-r--r--. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 5 May 31 12:16 ovn-northd.pid
srwxr-x---. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 0 May 31 12:16 ovnnb_db.ctl
-rw-r--r--. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 5 May 31 12:16 ovnnb_db.pid
srwxr-x---. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 0 May 31 12:16 ovnnb_db.sock
srwxr-x---. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 0 May 31 12:16 ovnsb_db.ctl
-rw-r--r--. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 5 May 31 12:16 ovnsb_db.pid
srwxr-x---. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 0 May 31 12:16 ovnsb_db.sock

No effect from restorecon:

[root@cs-hcim ~]# restorecon -rv /run/ovn/
[root@cs-hcim ~]# 

This suggests there is a bug in the selinux policy.

Versions and last update time of related packages:

[root@cs-hcim ~]# rpm -qa --last | grep "openvswitch\|selinux-policy" 
ovirt-openvswitch-ovn-central-2.15-3.el8ev.noarch Tue 31 May 2022 12:05:48 PM EDT
python3-openvswitch2.15-2.15.0-99.el8fdp.x86_64 Tue 31 May 2022 12:05:47 PM EDT
ovirt-python-openvswitch-2.15-3.el8ev.noarch  Tue 31 May 2022 12:05:47 PM EDT
ovirt-openvswitch-ovn-common-2.15-3.el8ev.noarch Tue 31 May 2022 12:05:47 PM EDT
ovirt-openvswitch-2.15-3.el8ev.noarch         Tue 31 May 2022 12:05:47 PM EDT
openvswitch2.15-2.15.0-99.el8fdp.x86_64       Tue 31 May 2022 12:05:47 PM EDT
ovirt-openvswitch-ovn-2.15-3.el8ev.noarch     Tue 31 May 2022 12:05:45 PM EDT
selinux-policy-targeted-3.14.3-95.el8.noarch  Thu 12 May 2022 08:57:03 AM EDT
selinux-policy-3.14.3-95.el8.noarch           Thu 12 May 2022 08:56:44 AM EDT
openvswitch-selinux-extra-policy-1.0-29.el8fdp.noarch Wed 16 Mar 2022 12:07:54 PM EDT


Additional info:

The following commands have been run in order to mitigate the messages at this time and were run successfully:

# ausearch -c 'ovs-appctl' --raw | audit2allow -M my-ovsappctl
# semodule -X 300 -i my-ovsappctl.pp
Comment 3 msheena 2023-01-08 09:44:34 UTC 
Tested on
=========
ovirt-engine-4.5.3.4-1.el8ev.noarch (hosted engine deployment)
openvswitch-selinux-extra-policy-1.0-30.el8fdp.noarch

Reason for failure
==================
Same log messages described in the description were found on journalctl output

ovs|00001|unixctl|WARN|failed to connect to /var/run/ovn/ovn-northd.1130.ctl
ovs|00001|unixctl|WARN|failed to connect to /var/run/ovn/ovnsb_db.ctl

SELinux is preventing /usr/bin/ovs-appctl from write access on the sock_file ovnnb_db.ctl. For complete SELinux messages run: ...
Comment 5 Martin Perina 2023-07-17 07:47:48 UTC 
There are no confirmed issues affecting RHV functionality around those selinux denials, so deferring due to lack of resources.