Description of problem: During the Open vSwitch initialization, it creates netlink sockets to communicate with the kernel. Although it supports userspace data path (no kernel), the service doesn't work with kernel data path (most common). type=AVC msg=audit(1446077087.786:2880): avc: denied { create } for pid=28067 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=0 Version-Release number of selected component (if applicable): selinux-policy-targeted-3.13.1-128.13.fc22.noarch How reproducible: Always Steps to Reproduce: 1. systemctl start openvswitch 2. ovs-vsctl del-br br1 3. ovs-vsctl add-br br1 Additional info: The fix seems to be similar to the one below but applied to Open vSwitch: https://github.com/fedora-selinux/selinux-policy/commit/724896379c28e4b0f76a715baccc7c1d5318a04b
More denies: type=MAC_STATUS msg=audit(1446079250.682:2916): enforcing=0 old_enforcing=1 auid=1000 ses=1 type=USER_AVC msg=audit(1446079254.747:2917): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1446079254.859:2918): avc: denied { create } for pid=29431 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1 type=AVC msg=audit(1446079254.859:2919): avc: denied { setopt } for pid=29431 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1 type=AVC msg=audit(1446079254.859:2920): avc: denied { getopt } for pid=29431 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1 type=AVC msg=audit(1446079254.859:2921): avc: denied { connect } for pid=29431 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1 type=AVC msg=audit(1446079254.859:2922): avc: denied { getattr } for pid=29431 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1 type=ANOM_PROMISCUOUS msg=audit(1446079254.860:2923): dev=ovs-system prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295 type=ANOM_PROMISCUOUS msg=audit(1446079254.882:2924): dev=br0 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295 type=ANOM_PROMISCUOUS msg=audit(1446079254.886:2925): dev=br1 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295 type=SERVICE_START msg=audit(1446079254.915:2926): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=openvswitch-nonetwork comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_START msg=audit(1446079254.931:2927): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=openvswitch comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
I was able to fix the denies in the audit log by putting together a quick policy: module openvswitch 1.0; require { type openvswitch_t; class netlink_generic_socket { getopt getattr create connect setopt }; } #============= openvswitch_t ============== allow openvswitch_t self:netlink_generic_socket { connect getopt getattr create setopt }; But then I started running into issues where the bridges wouldn't get created when restarting openvswitch. I was running in enforcing mode: Nov 13 14:39:16 localhost.localdomain ovs-ctl[1409]: Configuring Open vSwitch system IDs [ OK ] Nov 13 14:39:16 localhost.localdomain kernel: openvswitch: Open vSwitch switching datapath Nov 13 14:39:16 localhost.localdomain ovs-ctl[1409]: Inserting openvswitch module [ OK ] Nov 13 14:39:16 localhost.localdomain ovs-vswitchd[1441]: ovs|00006|netlink_socket|ERR|transaction error (Permission denied) Nov 13 14:39:16 localhost.localdomain ovs-vswitchd[1441]: ovs|00007|dpif_netlink|ERR|Generic Netlink family 'ovs_datapath' does not exist. The Open vSwitch kernel module is probably not loaded. Nov 13 14:39:16 localhost.localdomain ovs-vswitchd[1441]: ovs|00010|ofproto_dpif|ERR|failed to open datapath of type system: Permission denied Nov 13 14:39:16 localhost.localdomain ovs-vswitchd[1441]: ovs|00011|ofproto|ERR|failed to open datapath br0: Permission denied Nov 13 14:39:16 localhost.localdomain ovs-vswitchd[1441]: ovs|00012|bridge|ERR|failed to create bridge br0: Permission denied Nov 13 14:39:16 localhost.localdomain ovs-vswitchd[1441]: ovs|00015|ofproto_dpif|ERR|failed to open datapath of type system: Permission denied Nov 13 14:39:16 localhost.localdomain ovs-vswitchd[1441]: ovs|00016|ofproto|ERR|failed to open datapath private: Permission denied Nov 13 14:39:16 localhost.localdomain ovs-vswitchd[1441]: ovs|00017|bridge|ERR|failed to create bridge private: Permission denied Nov 13 14:39:16 localhost.localdomain ovs-vswitchd[1441]: ovs|00020|ofproto_dpif|ERR|failed to open datapath of type system: Permission denied Nov 13 14:39:16 localhost.localdomain ovs-vswitchd[1441]: ovs|00021|ofproto|ERR|failed to open datapath public: Permission denied Nov 13 14:39:16 localhost.localdomain ovs-vswitchd[1441]: ovs|00022|bridge|ERR|failed to create bridge public: Permission denied If I flipped to permissive mode, I no longer got those errors and the bridges would get created after restarting the service. I did notice that these calls showed up in permissive mode though within the audit.log: type=ANOM_PROMISCUOUS msg=audit(1447445934.513:472): dev=ovs-system prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295 type=ANOM_PROMISCUOUS msg=audit(1447445934.522:473): dev=eno16777736 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295 type=ANOM_PROMISCUOUS msg=audit(1447445934.530:474): dev=br0 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295 type=ANOM_PROMISCUOUS msg=audit(1447445934.534:475): dev=public prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295 type=ANOM_PROMISCUOUS msg=audit(1447446031.132:491): dev=private prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295 Are those somehow getting restricted too but just not bubbling up to the audit log when in enforcing mode?
https://github.com/fedora-selinux/selinux-policy/commit/87a8c2c7f70cf5d71cc2ba87f5a7f210dcc19eec commit 87a8c2c7f70cf5d71cc2ba87f5a7f210dcc19eec Merge: e3ee3c5 19d02be Author: Miroslav Grepl <mgrepl> Date: Thu Nov 19 11:51:27 2015 +0100 Merge pull request #69 from vmojzis/f22-contrib Allow iscsid create netlink iscsid sockets. - backport
selinux-policy-3.13.1-128.21.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-1bbd3df966
selinux-policy-3.13.1-128.21.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update selinux-policy' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-1bbd3df966
What about Fedora 23?
I just tried selinux-policy-3.13.1-156.fc23.noarch and no dice...
selinux-policy-3.13.1-128.21.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.