Description of problem: SELinux is preventing ovs-vswitchd from create access on the netlink_generic_socket Unknown. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that ovs-vswitchd should be allowed create access on the Unknown netlink_generic_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep ovs-vswitchd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:openvswitch_t:s0 Target Context system_u:system_r:openvswitch_t:s0 Target Objects Unknown [ netlink_generic_socket ] Source ovs-vswitchd Source Path ovs-vswitchd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-154.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux ian.penurio.us 4.2.5-300.fc23.x86_64 #1 SMP Tue Oct 27 04:29:56 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-11-16 14:23:33 CST Last Seen 2015-11-16 14:23:33 CST Local ID a9248341-c071-4b62-9cd5-6bc229902870 Raw Audit Messages type=AVC msg=audit(1447705413.311:107): avc: denied { create } for pid=1254 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=0 Hash: ovs-vswitchd,openvswitch_t,openvswitch_t,netlink_generic_socket,create Version-Release number of selected component (if applicable): selinux-policy-targeted-3.13.1-154.fc23.noarch How reproducible: 100% Steps to Reproduce: 1. ovs-vsctl add-br br0 Actual results: ovs-vsctl: Error detected while setting up 'br0'. See ovs-vswitchd log for details. Expected results: No error message; bridge created.
What is netlink_generic_socket ? I don't see such a class in RHEL-7.2. # seinfo -c | grep netlink netlink_audit_socket netlink_nflog_socket netlink_tcpdiag_socket netlink_route_socket netlink_selinux_socket netlink_ip6fw_socket netlink_firewall_socket netlink_kobject_uevent_socket netlink_xfrm_socket netlink_dnrt_socket netlink_socket #
(In reply to Milos Malik from comment #1) > What is netlink_generic_socket ? I don't see such a class in RHEL-7.2. It's in Fedora 23: [ipilcher@t430s ~]$ sudo seinfo -c | grep netlink netlink_audit_socket netlink_connector_socket netlink_nflog_socket netlink_netfilter_socket netlink_iscsi_socket netlink_tcpdiag_socket netlink_route_socket netlink_rdma_socket netlink_selinux_socket netlink_ip6fw_socket netlink_firewall_socket netlink_kobject_uevent_socket netlink_xfrm_socket netlink_dnrt_socket netlink_generic_socket <================ netlink_scsitransport_socket netlink_crypto_socket netlink_socket netlink_fib_lookup_socket
Wow! So many new classes.
Hi, Ian, could you re-test this issue in permissive mode and attach AVCs? Thank you!
(In reply to Lukas Vrabec from comment #4) > Ian, could you re-test this issue in permissive mode and attach AVCs? Here you go. These messages occur when creating a bridge in a "clean" configuration. They same messages occur when the openvswitch service starts after a new boot (i.e. when the socket doesn't yet exist) if a bridge already exists. type=AVC msg=audit(1448038403.177:142): avc: denied { create } for pid=1717 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1 type=AVC msg=audit(1448038403.177:143): avc: denied { setopt } for pid=1717 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1 type=AVC msg=audit(1448038403.177:144): avc: denied { getopt } for pid=1717 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1 type=AVC msg=audit(1448038403.177:145): avc: denied { connect } for pid=1717 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1 type=AVC msg=audit(1448038403.177:146): avc: denied { getattr } for pid=1717 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1 It looks like the rules that already exists for netlink_socket need to be changes/supplemented with netlink_generic_socket. I can't help wondering why the type of the socket changed.
Created attachment 1098487 [details] policy module that makes Open vSwitch work This policy module appears to make things work again. Note that some of the required permissions (at least read and write) are masked to dontaudit rules, so I simply copied the existing netlink_socket permissions to netlink_generic_socket.
commit 6f7e0b5420559a765deb8096fc36be9a9d1613c4 Author: Lukas Vrabec <lvrabec> Date: Tue Dec 8 13:35:27 2015 +0100 Allow openvswitch to create netlink generic sockets. BZ(1282638)
selinux-policy-3.13.1-157.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-b4167d5fd0
selinux-policy-3.13.1-157.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update selinux-policy' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-b4167d5fd0
selinux-policy-3.13.1-157.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.