+++ This bug was initially created as a clone of Bug #2100965 +++
Following our recent upgrade to ovirt-engine-4.5.0.7-0.9.el8ev and subsequent reboot of our self-hosted engine VM, we began noticing the following selinux denials in the logs:
Jun 3 03:27:04 cs-hcim ovs-appctl[162049]: ovs|00001|unixctl|WARN|failed to connect to /var/run/ovn/ovnnb_db.ctl
Jun 3 03:27:04 cs-hcim ovs-appctl[162050]: ovs|00001|unixctl|WARN|failed to connect to /var/run/ovn/ovn-northd.1186.ctl
Jun 3 03:27:04 cs-hcim ovs-appctl[162051]: ovs|00001|unixctl|WARN|failed to connect to /var/run/ovn/ovnsb_db.ctl
Jun 3 03:27:07 cs-hcim setroubleshoot[162053]: SELinux is preventing /usr/bin/ovs-appctl from write access on the sock_file ovnnb_db.ctl. For complete SELinux messages run: sealert -l 7c35e71f-4bcd-4460-91e4-5bacfe20e8d1
Jun 3 03:27:09 cs-hcim setroubleshoot[162053]: SELinux is preventing /usr/bin/ovs-appctl from write access on the sock_file ovn-northd.1186.ctl. For complete SELinux messages run: sealert -l 7c35e71f-4bcd-4460-91e4-5bacfe20e8d1
Jun 3 03:27:23 cs-hcim setroubleshoot[162106]: SELinux is preventing /usr/bin/ovs-appctl from write access on the sock_file ovnsb_db.ctl. For complete SELinux messages run: sealert -l 7c35e71f-4bcd-4460-91e4-5bacfe20e8d1
[root@cs-hcim ~]# sealert -l 7c35e71f-4bcd-4460-91e4-5bacfe20e8d1
SELinux is preventing /usr/bin/ovs-appctl from write access on the sock_file ovnsb_db.ctl.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that ovs-appctl should be allowed write access on the ovnsb_db.ctl sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ovs-appctl' --raw | audit2allow -M my-ovsappctl
# semodule -X 300 -i my-ovsappctl.pp
Additional Information:
Source Context system_u:system_r:openvswitch_t:s0-s0:c0.c1023
Target Context system_u:object_r:var_run_t:s0
Target Objects ovnsb_db.ctl [ sock_file ]
Source ovs-appctl
Source Path /usr/bin/ovs-appctl
Port <Unknown>
Host cs-hcim.bu.edu
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.3-95.el8.noarch
Local Policy RPM selinux-policy-targeted-3.14.3-95.el8.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name cs-hcim.bu.edu
Platform Linux cs-hcim.bu.edu 4.18.0-372.9.1.el8.x86_64 #1
SMP Fri Apr 15 22:12:19 EDT 2022 x86_64 x86_64
Alert Count 6
First Seen 2022-06-02 03:36:05 EDT
Last Seen 2022-06-03 03:27:04 EDT
Local ID 7c35e71f-4bcd-4460-91e4-5bacfe20e8d1
Raw Audit Messages
type=AVC msg=audit(1654241224.946:1422): avc: denied { write } for pid=162051 comm="ovs-appctl" name="ovnsb_db.ctl" dev="tmpfs" ino=29851 scontext=system_u:system_r:openvswitch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0
Hash: ovs-appctl,openvswitch_t,var_run_t,sock_file,write
All of the target files mentioned appear to reside in /run/ovn:
[root@cs-hcim ~]# ls -lZ /run/ovn/
total 12
srwxr-x---. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 0 May 31 12:16 ovn-northd.1186.ctl
-rw-r--r--. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 5 May 31 12:16 ovn-northd.pid
srwxr-x---. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 0 May 31 12:16 ovnnb_db.ctl
-rw-r--r--. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 5 May 31 12:16 ovnnb_db.pid
srwxr-x---. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 0 May 31 12:16 ovnnb_db.sock
srwxr-x---. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 0 May 31 12:16 ovnsb_db.ctl
-rw-r--r--. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 5 May 31 12:16 ovnsb_db.pid
srwxr-x---. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 0 May 31 12:16 ovnsb_db.sock
No effect from restorecon:
[root@cs-hcim ~]# restorecon -rv /run/ovn/
[root@cs-hcim ~]#
This suggests there is a bug in the selinux policy.
Versions and last update time of related packages:
[root@cs-hcim ~]# rpm -qa --last | grep "openvswitch\|selinux-policy"
ovirt-openvswitch-ovn-central-2.15-3.el8ev.noarch Tue 31 May 2022 12:05:48 PM EDT
python3-openvswitch2.15-2.15.0-99.el8fdp.x86_64 Tue 31 May 2022 12:05:47 PM EDT
ovirt-python-openvswitch-2.15-3.el8ev.noarch Tue 31 May 2022 12:05:47 PM EDT
ovirt-openvswitch-ovn-common-2.15-3.el8ev.noarch Tue 31 May 2022 12:05:47 PM EDT
ovirt-openvswitch-2.15-3.el8ev.noarch Tue 31 May 2022 12:05:47 PM EDT
openvswitch2.15-2.15.0-99.el8fdp.x86_64 Tue 31 May 2022 12:05:47 PM EDT
ovirt-openvswitch-ovn-2.15-3.el8ev.noarch Tue 31 May 2022 12:05:45 PM EDT
selinux-policy-targeted-3.14.3-95.el8.noarch Thu 12 May 2022 08:57:03 AM EDT
selinux-policy-3.14.3-95.el8.noarch Thu 12 May 2022 08:56:44 AM EDT
openvswitch-selinux-extra-policy-1.0-29.el8fdp.noarch Wed 16 Mar 2022 12:07:54 PM EDT
Additional info:
The following commands have been run in order to mitigate the messages at this time and were run successfully:
# ausearch -c 'ovs-appctl' --raw | audit2allow -M my-ovsappctl
# semodule -X 300 -i my-ovsappctl.pp
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (openvswitch-selinux-extra-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2023:1291