Bug 1276170 - openvswitch fails to start: netlink_generic_socket
openvswitch fails to start: netlink_generic_socket
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
22
x86_64 Linux
urgent Severity urgent
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-28 20:39 EDT by Flavio Leitner
Modified: 2015-11-26 22:54 EST (History)
6 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-128.21.fc22
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-26 22:54:35 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Flavio Leitner 2015-10-28 20:39:42 EDT
Description of problem:

During the Open vSwitch initialization, it creates netlink sockets to communicate with the kernel.  Although it supports userspace data path (no kernel), the service doesn't work with kernel data path (most common).

type=AVC msg=audit(1446077087.786:2880): avc:  denied  { create } 
for  pid=28067 comm="ovs-vswitchd" 
scontext=system_u:system_r:openvswitch_t:s0 
tcontext=system_u:system_r:openvswitch_t:s0 
tclass=netlink_generic_socket permissive=0

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-128.13.fc22.noarch

How reproducible:
Always

Steps to Reproduce:
1. systemctl start openvswitch
2. ovs-vsctl del-br br1
3. ovs-vsctl add-br br1

Additional info:
The fix seems to be similar to the one below but applied to Open vSwitch:
https://github.com/fedora-selinux/selinux-policy/commit/724896379c28e4b0f76a715baccc7c1d5318a04b
Comment 1 Flavio Leitner 2015-10-28 20:41:35 EDT
More denies:

type=MAC_STATUS msg=audit(1446079250.682:2916): enforcing=0 old_enforcing=1 auid=1000 ses=1
type=USER_AVC msg=audit(1446079254.747:2917): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1446079254.859:2918): avc:  denied  { create } for  pid=29431 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1446079254.859:2919): avc:  denied  { setopt } for  pid=29431 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1446079254.859:2920): avc:  denied  { getopt } for  pid=29431 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1446079254.859:2921): avc:  denied  { connect } for  pid=29431 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1446079254.859:2922): avc:  denied  { getattr } for  pid=29431 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=ANOM_PROMISCUOUS msg=audit(1446079254.860:2923): dev=ovs-system prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295
type=ANOM_PROMISCUOUS msg=audit(1446079254.882:2924): dev=br0 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295
type=ANOM_PROMISCUOUS msg=audit(1446079254.886:2925): dev=br1 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295
type=SERVICE_START msg=audit(1446079254.915:2926): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=openvswitch-nonetwork comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1446079254.931:2927): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=openvswitch comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Comment 2 Antony Messerli 2015-11-13 16:18:43 EST
I was able to fix the denies in the audit log by putting together a quick policy:

module openvswitch 1.0;

require {
	type openvswitch_t;
	class netlink_generic_socket { getopt getattr create connect setopt };
}

#============= openvswitch_t ==============
allow openvswitch_t self:netlink_generic_socket { connect getopt getattr create setopt };

But then I started running into issues where the bridges wouldn't get created when restarting openvswitch.  I was running in enforcing mode:

Nov 13 14:39:16 localhost.localdomain ovs-ctl[1409]: Configuring Open vSwitch system IDs [  OK  ]
Nov 13 14:39:16 localhost.localdomain kernel: openvswitch: Open vSwitch switching datapath
Nov 13 14:39:16 localhost.localdomain ovs-ctl[1409]: Inserting openvswitch module [  OK  ]
Nov 13 14:39:16 localhost.localdomain ovs-vswitchd[1441]: ovs|00006|netlink_socket|ERR|transaction error (Permission denied)
Nov 13 14:39:16 localhost.localdomain ovs-vswitchd[1441]: ovs|00007|dpif_netlink|ERR|Generic Netlink family 'ovs_datapath' does not exist. The Open vSwitch kernel module is probably not loaded.
Nov 13 14:39:16 localhost.localdomain ovs-vswitchd[1441]: ovs|00010|ofproto_dpif|ERR|failed to open datapath of type system: Permission denied
Nov 13 14:39:16 localhost.localdomain ovs-vswitchd[1441]: ovs|00011|ofproto|ERR|failed to open datapath br0: Permission denied
Nov 13 14:39:16 localhost.localdomain ovs-vswitchd[1441]: ovs|00012|bridge|ERR|failed to create bridge br0: Permission denied
Nov 13 14:39:16 localhost.localdomain ovs-vswitchd[1441]: ovs|00015|ofproto_dpif|ERR|failed to open datapath of type system: Permission denied
Nov 13 14:39:16 localhost.localdomain ovs-vswitchd[1441]: ovs|00016|ofproto|ERR|failed to open datapath private: Permission denied
Nov 13 14:39:16 localhost.localdomain ovs-vswitchd[1441]: ovs|00017|bridge|ERR|failed to create bridge private: Permission denied
Nov 13 14:39:16 localhost.localdomain ovs-vswitchd[1441]: ovs|00020|ofproto_dpif|ERR|failed to open datapath of type system: Permission denied
Nov 13 14:39:16 localhost.localdomain ovs-vswitchd[1441]: ovs|00021|ofproto|ERR|failed to open datapath public: Permission denied
Nov 13 14:39:16 localhost.localdomain ovs-vswitchd[1441]: ovs|00022|bridge|ERR|failed to create bridge public: Permission denied

If I flipped to permissive mode, I no longer got those errors and the bridges would get created after restarting the service.  I did notice that these calls showed up in permissive mode though within the audit.log:

type=ANOM_PROMISCUOUS msg=audit(1447445934.513:472): dev=ovs-system prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295
type=ANOM_PROMISCUOUS msg=audit(1447445934.522:473): dev=eno16777736 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295
type=ANOM_PROMISCUOUS msg=audit(1447445934.530:474): dev=br0 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295
type=ANOM_PROMISCUOUS msg=audit(1447445934.534:475): dev=public prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295
type=ANOM_PROMISCUOUS msg=audit(1447446031.132:491): dev=private prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295

Are those somehow getting restricted too but just not bubbling up to the audit log when in enforcing mode?
Comment 3 Miroslav Grepl 2015-11-20 07:45:40 EST
https://github.com/fedora-selinux/selinux-policy/commit/87a8c2c7f70cf5d71cc2ba87f5a7f210dcc19eec

commit 87a8c2c7f70cf5d71cc2ba87f5a7f210dcc19eec
Merge: e3ee3c5 19d02be
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Thu Nov 19 11:51:27 2015 +0100

    Merge pull request #69 from vmojzis/f22-contrib
    
    Allow iscsid create netlink iscsid sockets. - backport
Comment 4 Fedora Update System 2015-11-20 08:12:35 EST
selinux-policy-3.13.1-128.21.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-1bbd3df966
Comment 5 Fedora Update System 2015-11-21 12:51:36 EST
selinux-policy-3.13.1-128.21.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update selinux-policy'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-1bbd3df966
Comment 6 André Martins 2015-11-23 10:09:06 EST
What about Fedora 23?
Comment 7 Eric Paris 2015-11-24 12:55:31 EST
I just tried selinux-policy-3.13.1-156.fc23.noarch and no dice...
Comment 8 Fedora Update System 2015-11-26 22:52:36 EST
selinux-policy-3.13.1-128.21.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.