Bug 1272674 - OVSBridge interfaces do not work with kernel 4.2.3
OVSBridge interfaces do not work with kernel 4.2.3
Status: CLOSED EOL
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
22
Unspecified Unspecified
medium Severity high
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-17 10:41 EDT by Jason Montleon
Modified: 2016-07-19 16:25 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-07-19 16:25:17 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jason Montleon 2015-10-17 10:41:07 EDT
Description of problem:
OVSBridge interfaces are not present on boot with kernel-4.2.3-200.fc22.x86_64

kernel-4.1.10-200.fc22.x86_64 worked fine

ifup br-rhci
ERROR    : [/etc/sysconfig/network-scripts/ifup-eth] Device br-rhci does not seem to be present, delaying initialization.

Version-Release number of selected component (if applicable):
kernel-4.2.3-200.fc22.x86_64

How reproducible:
Seems always. Two systems, multiple reboots.

Steps to Reproduce:
1. Install kernel 4.1.10-200
2. configure an openvswitch bridge
3. Upgrade the kernel and reboot

Actual results:
openvswitch bridges are not present on boot

Expected results:
openvswitch bridges are present on boot

Additional info:
Booting to kernel-4.1.10-200.fc22.x86_64 makes the interfaces workable.

# tail -f /var/log/messages -n 0
Oct 17 10:39:22 jmontleo systemd: Starting Open vSwitch Internal Unit...
Oct 17 10:39:22 jmontleo ovs-ctl: Starting ovsdb-server [  OK  ]
Oct 17 10:39:22 jmontleo ovs-vsctl: ovs|00001|vsctl|INFO|Called as ovs-vsctl --no-wait -- init -- set Open_vSwitch . db-version=7.12.1
Oct 17 10:39:22 jmontleo ovs-vsctl: ovs|00001|vsctl|INFO|Called as ovs-vsctl --no-wait set Open_vSwitch . ovs-version=2.4.0 "external-ids:system-id=\"46c569e5-a269-4d87-91e2-ed9b4a639a09\"" "system-type=\"Fedora\"" "system-version=\"22-TwentyTwo\""
Oct 17 10:39:22 jmontleo ovs-ctl: Configuring Open vSwitch system IDs [  OK  ]
Oct 17 10:39:22 jmontleo audit: <audit-1400> avc:  denied  { create } for  pid=7532 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
Oct 17 10:39:22 jmontleo audit: <audit-1400> avc:  denied  { setopt } for  pid=7532 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
Oct 17 10:39:22 jmontleo audit: <audit-1400> avc:  denied  { getopt } for  pid=7532 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
Oct 17 10:39:22 jmontleo audit: <audit-1400> avc:  denied  { connect } for  pid=7532 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
Oct 17 10:39:22 jmontleo audit: <audit-1400> avc:  denied  { getattr } for  pid=7532 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
Oct 17 10:39:22 jmontleo dbus[774]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Oct 17 10:39:22 jmontleo ovs-ctl: Starting ovs-vswitchd [  OK  ]
Oct 17 10:39:22 jmontleo ovs-ctl: Enabling remote OVSDB managers [  OK  ]
Oct 17 10:39:22 jmontleo systemd: Started Open vSwitch Internal Unit.
Oct 17 10:39:22 jmontleo systemd: Starting Open vSwitch...
Oct 17 10:39:22 jmontleo audit: <audit-1130> pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=openvswitch-nonetwork comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 17 10:39:22 jmontleo systemd: Started Open vSwitch.
Oct 17 10:39:22 jmontleo audit: <audit-1130> pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=openvswitch comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 17 10:39:22 jmontleo dbus[774]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Oct 17 10:39:23 jmontleo setroubleshoot: SELinux is preventing ovs-vswitchd from create access on the netlink_generic_socket Unknown. For complete SELinux messages. run sealert -l e365e98c-f20f-4bb0-b8c4-5c634fb5b692
Oct 17 10:39:23 jmontleo python: SELinux is preventing ovs-vswitchd from create access on the netlink_generic_socket Unknown.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that ovs-vswitchd should be allowed create access on the Unknown netlink_generic_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep ovs-vswitchd /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012
Oct 17 10:39:23 jmontleo setroubleshoot: SELinux is preventing ovs-vswitchd from setopt access on the netlink_generic_socket Unknown. For complete SELinux messages. run sealert -l 0ef5f5f0-2450-4965-bfc8-e5d2b5ff2a77
Oct 17 10:39:23 jmontleo python: SELinux is preventing ovs-vswitchd from setopt access on the netlink_generic_socket Unknown.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that ovs-vswitchd should be allowed setopt access on the Unknown netlink_generic_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep ovs-vswitchd /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012
Oct 17 10:39:23 jmontleo setroubleshoot: SELinux is preventing ovs-vswitchd from getopt access on the netlink_generic_socket Unknown. For complete SELinux messages. run sealert -l 980e08e9-9fb2-47e7-af34-0f1e134674f5
Oct 17 10:39:23 jmontleo python: SELinux is preventing ovs-vswitchd from getopt access on the netlink_generic_socket Unknown.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that ovs-vswitchd should be allowed getopt access on the Unknown netlink_generic_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep ovs-vswitchd /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012
Oct 17 10:39:23 jmontleo setroubleshoot: SELinux is preventing ovs-vswitchd from connect access on the netlink_generic_socket Unknown. For complete SELinux messages. run sealert -l fde06c5c-c8f2-4523-bfdc-81a58e26c757
Oct 17 10:39:23 jmontleo python: SELinux is preventing ovs-vswitchd from connect access on the netlink_generic_socket Unknown.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that ovs-vswitchd should be allowed connect access on the Unknown netlink_generic_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep ovs-vswitchd /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012
Oct 17 10:39:23 jmontleo setroubleshoot: SELinux is preventing ovs-vswitchd from getattr access on the netlink_generic_socket Unknown. For complete SELinux messages. run sealert -l 3e3719c2-0fa8-41e4-b4ad-de654067f3d3
Oct 17 10:39:23 jmontleo python: SELinux is preventing ovs-vswitchd from getattr access on the netlink_generic_socket Unknown.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that ovs-vswitchd should be allowed getattr access on the Unknown netlink_generic_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep ovs-vswitchd /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012
^C




[root@jmontleo ~]# grep ovs-vswitchd /var/log/audit/audit.log
type=AVC msg=audit(1445089688.458:102): avc:  denied  { create } for  pid=999 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=0
type=AVC msg=audit(1445092320.118:413): avc:  denied  { create } for  pid=5365 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=0
type=AVC msg=audit(1445092525.428:420): avc:  denied  { create } for  pid=5771 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1445092525.428:421): avc:  denied  { setopt } for  pid=5771 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1445092525.428:422): avc:  denied  { getopt } for  pid=5771 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1445092525.428:423): avc:  denied  { connect } for  pid=5771 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1445092525.428:424): avc:  denied  { getattr } for  pid=5771 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1445092674.288:433): avc:  denied  { create } for  pid=6459 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1445092674.288:434): avc:  denied  { setopt } for  pid=6459 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1445092674.288:435): avc:  denied  { getopt } for  pid=6459 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1445092674.288:436): avc:  denied  { connect } for  pid=6459 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1445092674.288:437): avc:  denied  { getattr } for  pid=6459 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1445092762.268:446): avc:  denied  { create } for  pid=7532 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1445092762.268:447): avc:  denied  { setopt } for  pid=7532 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1445092762.268:448): avc:  denied  { getopt } for  pid=7532 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1445092762.268:449): avc:  denied  { connect } for  pid=7532 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1445092762.268:450): avc:  denied  { getattr } for  pid=7532 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1



[root@jmontleo ~]# grep ovs-vswitchd /var/log/audit/audit.log | audit2allow -m ovs 

module ovs 1.0;

require {
	type openvswitch_t;
	class netlink_generic_socket { getopt getattr create connect setopt };
}

#============= openvswitch_t ==============
allow openvswitch_t self:netlink_generic_socket { connect getopt getattr create setopt };
Comment 1 Jason Montleon 2015-10-17 11:46:35 EDT
read and write are also needed to ifup the interface and send traffic across any vxlan interfaces.

module ovs-custom-1 1.0;

require {
	type openvswitch_t;
	class netlink_generic_socket { write getattr setopt read getopt create connect };
}

#============= openvswitch_t ==============

allow openvswitch_t self:netlink_generic_socket { write getattr setopt read getopt create connect };
Comment 2 Fedora End Of Life 2016-07-19 16:25:17 EDT
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.