Bug 2230913

Summary: ovn: logrotate vlog/reopen fails due to selinux avc
Product: [Fedora] Fedora Reporter: François Rigault <francois.rigault>
Component: ovnAssignee: Numan Siddique <numan.siddique>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: 39CC: numan.siddique
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description François Rigault 2023-08-10 09:10:19 UTC 
logrotate postrotate script uses ovs-appctl, causing a selinux issue
https://github.com/ovn-org/ovn/blob/main/rhel/etc_logrotate.d_ovn#L18

type=AVC msg=audit(1691657680.741:180): avc:  denied  { write } for  pid=2451 comm="ovs-appctl" name="ovn-controller.1646.ctl" dev="tmpfs" ino=1006 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0

ovn-appctl could be used instead



Reproducible: Always

Steps to Reproduce:
1- start ovn-controller
2- keep it running for a day
3- lsof on the ovn-controller
Actual Results:  
ovn-controller references a deleted file
ovn-controller.log file is empty
above AVC is logged

Expected Results:  
ovn-controllers should write logs into the new ovn-controller.log file


observed on rawhide and centos s9

selinux issue can also be reproduced with
systemd-run --unit foo --uid openvswitch --collect -- ovs-appctl -t /var/run/ovn/ovn-controller.1646.ctl vlog/reopen

vs working:

systemd-run --unit bar --uid openvswitch --collect -- ovn-appctl -t /var/run/ovn/ovn-controller.1646.ctl vlog/reopen
Comment 1 Fedora Release Engineering 2023-08-16 08:15:28 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.