Description of problem: Running mininet causes several SELinux AVCs. Version-Release number of selected component (if applicable): openvswitch-1.11.0-1.fc19.x86_64 openvswitch-controller-1.11.0-1.fc19.x86_64 How reproducible: Always Steps to Reproduce: 1. Install mininet following the steps listed in https://github.com/mininet/mininet/pull/194 (the first two patches are the only ones needed) 2. systemtctl start openvswitch 3. sudo mn or sudo mn -v debug or sudo mn --test pingall Actual results: The pingall test fails Expected results: Run the pingall test with success Additional info: * Mininet is a tool that uses openvswitch and network namespaces to create virtual networks. * mininet homepage: http://mininet.org/ * mininet uses network namespaces ---------- # tail -n 100 audit.log | grep "type=AVC" ---------- type=AVC msg=audit(1378170683.196:882): avc: denied { name_connect } for pid=810 comm="ovs-vswitchd" dest=6633 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1378170683.197:883): avc: denied { name_bind } for pid=810 comm="ovs-vswitchd" src=6634 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1378170683.197:883): avc: denied { node_bind } for pid=810 comm="ovs-vswitchd" src=6634 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=tcp_socket type=AVC msg=audit(1378170683.197:884): avc: denied { listen } for pid=810 comm="ovs-vswitchd" lport=6634 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=tcp_socket type=AVC msg=audit(1378170683.198:885): avc: denied { accept } for pid=810 comm="ovs-vswitchd" lport=6634 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=tcp_socket type=AVC msg=audit(1378170856.962:900): avc: denied { name_bind } for pid=810 comm="ovs-vswitchd" src=6634 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1378170856.962:901): avc: denied { name_connect } for pid=810 comm="ovs-vswitchd" dest=6633 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket ---------- ---------- # tail -n 100 audit.log | audit2allow ---------- #============= openvswitch_t ============== allow openvswitch_t node_t:tcp_socket node_bind; allow openvswitch_t self:tcp_socket { accept listen }; allow openvswitch_t unreserved_port_t:tcp_socket { name_bind name_connect };
A couple of notes about the virtual network topologies created by mininet: Virtual network topologies have the following defaults: * the controller - ovs-controller - listens on TCP/6633 * the first switch listens on TCP/6634 * the second switch listens on TCP/6635 * ... The default (minimal) topology created by "sudo mn" has: * one controller * one switch * two hosts (h1:10.10.10.1; h2:10.10.10.2) Each host is a bash process with its own IP address (network namespace)
What version of selinux-policy do you have installed?
Sorry! I forgot to add the selinux package info. Selinux version when the ticket was created: selinux-policy-3.12.1-73.fc19.noarch selinux-policy-targeted-3.12.1-73.fc19.noarch The problem can still be reproduced with: selinux-policy-targeted-3.12.1-74.10.fc19.noarch selinux-policy-3.12.1-74.10.fc19.noarch
BTW: I have here a SRPM that builds and installs correctly in Fedora19+ [1]: http://um-pe09-2.di.uminho.pt/fedora/mininet-2.1.0-0.1.fc19.src.rpm Contents: --------- $ rpm -qpl mininet-2.1.0-0.1.fc19.src.rpm --------- 0001-Fixes-compiler-warning-implicit-declaration-of-funct.patch 0002-Fixes-compiler-warning-control-reaches-end-of-non-vo.patch mininet-2.1.0.tar.gz mininet.spec --------- Note: the two patches have already been pulled by upstream (but only after the 2.1.0 release). [1] - still need to test the python examples to see which modules have to be add to the requirements list.
Reassigning to selinux-policy to update the policy.
This means openvswitch can be a service listen on tcp_socket? Is port 6634 the standard port this listens on? And is 6633 a standard port it connects on? grep 6633 /etc/services cisco-vpath-tun 6633/udp # Cisco vPath Services Overlay
b9e29fc187e0ef9faeee1dd9772446cb45a4d031 and 1289f030a62736f6cb75af326064533d0e659a69 fix this in git. Needs to be back ported to RHEL7, F20 and F19
Daniel Walsh, (In reply to Daniel Walsh from comment #6) > This means openvswitch can be a service listen on tcp_socket? > > Is port 6634 the standard port this listens on? > > And is 6633 a standard port it connects on? > > > grep 6633 /etc/services > cisco-vpath-tun 6633/udp # Cisco vPath Services Overlay The old the facto standard for the OpenFlow port has always been 6633/TCP. The problem is that when they contacted IANA for making it official, port 6633/UDP had already been given to Cisco, and the official OpenFlow port become 6653/TCP since 2013-07-18 (see http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=openflow). This change will cause problems to openvswitch and mininet (that uses openvswitch by default). Regarding this particular ticket: currently mininet creates topologies using the following ports: * 6633/TCP - controller * 6634/TCP - first switch * 6635/TCP - second switch * 6636/TCP - third switch * ... and so on ... A minimal topology with 1 controller and 1 switch will only require ports 6633 and 6634/TCP. More complex topologies (user defined) will require n+1 ports where n is the number of switches. /jpo
back ported to F20(also RHEL7) and F19 branch.
selinux-policy-3.12.1-74.19.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.19.fc19
Package selinux-policy-3.12.1-74.19.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.19.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-3030/selinux-policy-3.12.1-74.19.fc19 then log in and leave karma (feedback).
Hi, mininet is in my todo list on packaging. If you have time, please help test this package when I submit it. Thank you!
Christopher Meng, (In reply to Christopher Meng from comment #12) > Hi, > > mininet is in my todo list on packaging. > > If you have time, please help test this package when I submit it. .. or, instead of starting from scratch, you could help improving the mininet SRPM/specfile listed in comment #4. Note: * the two patches included in the SRPM are already upstream (just have to check if they were included in mininet 2.1.0p1) /jpo
selinux-policy-3.12.1-74.19.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.