Bug 1272674 - OVSBridge interfaces do not work with kernel 4.2.3
Summary: OVSBridge interfaces do not work with kernel 4.2.3
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 22
Hardware: Unspecified
OS: Unspecified
medium
high
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-10-17 14:41 UTC by Jason Montleon
Modified: 2016-07-19 20:25 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-19 20:25:17 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Jason Montleon 2015-10-17 14:41:07 UTC 
Description of problem:
OVSBridge interfaces are not present on boot with kernel-4.2.3-200.fc22.x86_64

kernel-4.1.10-200.fc22.x86_64 worked fine

ifup br-rhci
ERROR    : [/etc/sysconfig/network-scripts/ifup-eth] Device br-rhci does not seem to be present, delaying initialization.

Version-Release number of selected component (if applicable):
kernel-4.2.3-200.fc22.x86_64

How reproducible:
Seems always. Two systems, multiple reboots.

Steps to Reproduce:
1. Install kernel 4.1.10-200
2. configure an openvswitch bridge
3. Upgrade the kernel and reboot

Actual results:
openvswitch bridges are not present on boot

Expected results:
openvswitch bridges are present on boot

Additional info:
Booting to kernel-4.1.10-200.fc22.x86_64 makes the interfaces workable.

# tail -f /var/log/messages -n 0
Oct 17 10:39:22 jmontleo systemd: Starting Open vSwitch Internal Unit...
Oct 17 10:39:22 jmontleo ovs-ctl: Starting ovsdb-server [  OK  ]
Oct 17 10:39:22 jmontleo ovs-vsctl: ovs|00001|vsctl|INFO|Called as ovs-vsctl --no-wait -- init -- set Open_vSwitch . db-version=7.12.1
Oct 17 10:39:22 jmontleo ovs-vsctl: ovs|00001|vsctl|INFO|Called as ovs-vsctl --no-wait set Open_vSwitch . ovs-version=2.4.0 "external-ids:system-id=\"46c569e5-a269-4d87-91e2-ed9b4a639a09\"" "system-type=\"Fedora\"" "system-version=\"22-TwentyTwo\""
Oct 17 10:39:22 jmontleo ovs-ctl: Configuring Open vSwitch system IDs [  OK  ]
Oct 17 10:39:22 jmontleo audit: <audit-1400> avc:  denied  { create } for  pid=7532 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
Oct 17 10:39:22 jmontleo audit: <audit-1400> avc:  denied  { setopt } for  pid=7532 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
Oct 17 10:39:22 jmontleo audit: <audit-1400> avc:  denied  { getopt } for  pid=7532 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
Oct 17 10:39:22 jmontleo audit: <audit-1400> avc:  denied  { connect } for  pid=7532 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
Oct 17 10:39:22 jmontleo audit: <audit-1400> avc:  denied  { getattr } for  pid=7532 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
Oct 17 10:39:22 jmontleo dbus[774]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Oct 17 10:39:22 jmontleo ovs-ctl: Starting ovs-vswitchd [  OK  ]
Oct 17 10:39:22 jmontleo ovs-ctl: Enabling remote OVSDB managers [  OK  ]
Oct 17 10:39:22 jmontleo systemd: Started Open vSwitch Internal Unit.
Oct 17 10:39:22 jmontleo systemd: Starting Open vSwitch...
Oct 17 10:39:22 jmontleo audit: <audit-1130> pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=openvswitch-nonetwork comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 17 10:39:22 jmontleo systemd: Started Open vSwitch.
Oct 17 10:39:22 jmontleo audit: <audit-1130> pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=openvswitch comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 17 10:39:22 jmontleo dbus[774]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Oct 17 10:39:23 jmontleo setroubleshoot: SELinux is preventing ovs-vswitchd from create access on the netlink_generic_socket Unknown. For complete SELinux messages. run sealert -l e365e98c-f20f-4bb0-b8c4-5c634fb5b692
Oct 17 10:39:23 jmontleo python: SELinux is preventing ovs-vswitchd from create access on the netlink_generic_socket Unknown.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that ovs-vswitchd should be allowed create access on the Unknown netlink_generic_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep ovs-vswitchd /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012
Oct 17 10:39:23 jmontleo setroubleshoot: SELinux is preventing ovs-vswitchd from setopt access on the netlink_generic_socket Unknown. For complete SELinux messages. run sealert -l 0ef5f5f0-2450-4965-bfc8-e5d2b5ff2a77
Oct 17 10:39:23 jmontleo python: SELinux is preventing ovs-vswitchd from setopt access on the netlink_generic_socket Unknown.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that ovs-vswitchd should be allowed setopt access on the Unknown netlink_generic_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep ovs-vswitchd /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012
Oct 17 10:39:23 jmontleo setroubleshoot: SELinux is preventing ovs-vswitchd from getopt access on the netlink_generic_socket Unknown. For complete SELinux messages. run sealert -l 980e08e9-9fb2-47e7-af34-0f1e134674f5
Oct 17 10:39:23 jmontleo python: SELinux is preventing ovs-vswitchd from getopt access on the netlink_generic_socket Unknown.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that ovs-vswitchd should be allowed getopt access on the Unknown netlink_generic_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep ovs-vswitchd /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012
Oct 17 10:39:23 jmontleo setroubleshoot: SELinux is preventing ovs-vswitchd from connect access on the netlink_generic_socket Unknown. For complete SELinux messages. run sealert -l fde06c5c-c8f2-4523-bfdc-81a58e26c757
Oct 17 10:39:23 jmontleo python: SELinux is preventing ovs-vswitchd from connect access on the netlink_generic_socket Unknown.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that ovs-vswitchd should be allowed connect access on the Unknown netlink_generic_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep ovs-vswitchd /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012
Oct 17 10:39:23 jmontleo setroubleshoot: SELinux is preventing ovs-vswitchd from getattr access on the netlink_generic_socket Unknown. For complete SELinux messages. run sealert -l 3e3719c2-0fa8-41e4-b4ad-de654067f3d3
Oct 17 10:39:23 jmontleo python: SELinux is preventing ovs-vswitchd from getattr access on the netlink_generic_socket Unknown.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that ovs-vswitchd should be allowed getattr access on the Unknown netlink_generic_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep ovs-vswitchd /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012
^C




[root@jmontleo ~]# grep ovs-vswitchd /var/log/audit/audit.log
type=AVC msg=audit(1445089688.458:102): avc:  denied  { create } for  pid=999 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=0
type=AVC msg=audit(1445092320.118:413): avc:  denied  { create } for  pid=5365 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=0
type=AVC msg=audit(1445092525.428:420): avc:  denied  { create } for  pid=5771 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1445092525.428:421): avc:  denied  { setopt } for  pid=5771 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1445092525.428:422): avc:  denied  { getopt } for  pid=5771 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1445092525.428:423): avc:  denied  { connect } for  pid=5771 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1445092525.428:424): avc:  denied  { getattr } for  pid=5771 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1445092674.288:433): avc:  denied  { create } for  pid=6459 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1445092674.288:434): avc:  denied  { setopt } for  pid=6459 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1445092674.288:435): avc:  denied  { getopt } for  pid=6459 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1445092674.288:436): avc:  denied  { connect } for  pid=6459 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1445092674.288:437): avc:  denied  { getattr } for  pid=6459 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1445092762.268:446): avc:  denied  { create } for  pid=7532 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1445092762.268:447): avc:  denied  { setopt } for  pid=7532 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1445092762.268:448): avc:  denied  { getopt } for  pid=7532 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1445092762.268:449): avc:  denied  { connect } for  pid=7532 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1445092762.268:450): avc:  denied  { getattr } for  pid=7532 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1



[root@jmontleo ~]# grep ovs-vswitchd /var/log/audit/audit.log | audit2allow -m ovs 

module ovs 1.0;

require {
	type openvswitch_t;
	class netlink_generic_socket { getopt getattr create connect setopt };
}

#============= openvswitch_t ==============
allow openvswitch_t self:netlink_generic_socket { connect getopt getattr create setopt };
Comment 1 Jason Montleon 2015-10-17 15:46:35 UTC 
read and write are also needed to ifup the interface and send traffic across any vxlan interfaces.

module ovs-custom-1 1.0;

require {
	type openvswitch_t;
	class netlink_generic_socket { write getattr setopt read getopt create connect };
}

#============= openvswitch_t ==============

allow openvswitch_t self:netlink_generic_socket { write getattr setopt read getopt create connect };
Comment 2 Fedora End Of Life 2016-07-19 20:25:17 UTC 
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.
Note You need to log in before you can comment on or make changes to this bug.