Bug 1282638 - SELinux is preventing ovs-vswitchd from create access on the netlink_generic_socket
SELinux is preventing ovs-vswitchd from create access on the netlink_generic_...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
23
Unspecified Unspecified
high Severity medium
: ---
: ---
Assigned To: Lukas Vrabec
Ben Levenson
:
Depends On:
Blocks: 1435575
  Show dependency treegraph
 
Reported: 2015-11-16 18:23 EST by Ian Pilcher
Modified: 2017-03-24 05:34 EDT (History)
7 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-156.fc23
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-12 23:22:34 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
lvrabec: needinfo-


Attachments (Terms of Use)
policy module that makes Open vSwitch work (384 bytes, text/plain)
2015-11-24 21:40 EST, Ian Pilcher
no flags Details

  None (edit)
Description Ian Pilcher 2015-11-16 18:23:23 EST
Description of problem:
SELinux is preventing ovs-vswitchd from create access on the netlink_generic_socket Unknown.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that ovs-vswitchd should be allowed create access on the Unknown netlink_generic_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ovs-vswitchd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:openvswitch_t:s0
Target Context                system_u:system_r:openvswitch_t:s0
Target Objects                Unknown [ netlink_generic_socket ]
Source                        ovs-vswitchd
Source Path                   ovs-vswitchd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-154.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux ian.penurio.us 4.2.5-300.fc23.x86_64 #1 SMP
                              Tue Oct 27 04:29:56 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-11-16 14:23:33 CST
Last Seen                     2015-11-16 14:23:33 CST
Local ID                      a9248341-c071-4b62-9cd5-6bc229902870

Raw Audit Messages
type=AVC msg=audit(1447705413.311:107): avc:  denied  { create } for  pid=1254 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=0


Hash: ovs-vswitchd,openvswitch_t,openvswitch_t,netlink_generic_socket,create


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-154.fc23.noarch

How reproducible:
100%

Steps to Reproduce:
1. ovs-vsctl add-br br0

Actual results:
ovs-vsctl: Error detected while setting up 'br0'.  See ovs-vswitchd log for details.

Expected results:
No error message; bridge created.
Comment 1 Milos Malik 2015-11-19 09:19:21 EST
What is netlink_generic_socket ? I don't see such a class in RHEL-7.2.

# seinfo -c | grep netlink
   netlink_audit_socket
   netlink_nflog_socket
   netlink_tcpdiag_socket
   netlink_route_socket
   netlink_selinux_socket
   netlink_ip6fw_socket
   netlink_firewall_socket
   netlink_kobject_uevent_socket
   netlink_xfrm_socket
   netlink_dnrt_socket
   netlink_socket
#
Comment 2 Ian Pilcher 2015-11-19 13:40:32 EST
(In reply to Milos Malik from comment #1)
> What is netlink_generic_socket ? I don't see such a class in RHEL-7.2.

It's in Fedora 23:

[ipilcher@t430s ~]$ sudo seinfo -c | grep netlink
   netlink_audit_socket
   netlink_connector_socket
   netlink_nflog_socket
   netlink_netfilter_socket
   netlink_iscsi_socket
   netlink_tcpdiag_socket
   netlink_route_socket
   netlink_rdma_socket
   netlink_selinux_socket
   netlink_ip6fw_socket
   netlink_firewall_socket
   netlink_kobject_uevent_socket
   netlink_xfrm_socket
   netlink_dnrt_socket
   netlink_generic_socket          <================
   netlink_scsitransport_socket
   netlink_crypto_socket
   netlink_socket
   netlink_fib_lookup_socket
Comment 3 Milos Malik 2015-11-20 02:04:15 EST
Wow! So many new classes.
Comment 4 Lukas Vrabec 2015-11-20 05:33:51 EST
Hi, 

Ian, could you re-test this issue in permissive mode and attach AVCs? 

Thank you!
Comment 5 Ian Pilcher 2015-11-20 12:17:43 EST
(In reply to Lukas Vrabec from comment #4)
> Ian, could you re-test this issue in permissive mode and attach AVCs? 

Here you go.  These messages occur when creating a bridge in a "clean" configuration.  They same messages occur when the openvswitch service starts after a new boot (i.e. when the socket doesn't yet exist) if a bridge already exists.

type=AVC msg=audit(1448038403.177:142): avc:  denied  { create } for  pid=1717 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1448038403.177:143): avc:  denied  { setopt } for  pid=1717 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1448038403.177:144): avc:  denied  { getopt } for  pid=1717 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1448038403.177:145): avc:  denied  { connect } for  pid=1717 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1
type=AVC msg=audit(1448038403.177:146): avc:  denied  { getattr } for  pid=1717 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1

It looks like the rules that already exists for netlink_socket need to be changes/supplemented with netlink_generic_socket.  I can't help wondering why the type of the socket changed.
Comment 6 Ian Pilcher 2015-11-24 21:40 EST
Created attachment 1098487 [details]
policy module that makes Open vSwitch work

This policy module appears to make things work again.  Note that some of the required permissions (at least read and write) are masked to dontaudit rules, so I simply copied the existing netlink_socket permissions to netlink_generic_socket.
Comment 7 Lukas Vrabec 2015-12-08 07:36:53 EST
commit 6f7e0b5420559a765deb8096fc36be9a9d1613c4
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Tue Dec 8 13:35:27 2015 +0100

    Allow openvswitch to create netlink generic sockets. BZ(1282638)
Comment 8 Fedora Update System 2015-12-09 08:38:12 EST
selinux-policy-3.13.1-157.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-b4167d5fd0
Comment 9 Fedora Update System 2015-12-09 23:55:14 EST
selinux-policy-3.13.1-157.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update selinux-policy'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-b4167d5fd0
Comment 10 Fedora Update System 2015-12-12 23:22:16 EST
selinux-policy-3.13.1-157.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.