Bug 1284268 - Selinux is blocking ovs-vswitchd (openvswitch)
Selinux is blocking ovs-vswitchd (openvswitch)
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux (Show other bugs)
8.0 (Liberty)
Unspecified Unspecified
high Severity high
: ga
: 8.0 (Liberty)
Assigned To: Ryan Hallisey
Alexander Stafeyev
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-22 10:15 EST by Arie Bregman
Modified: 2016-04-07 17:13 EDT (History)
11 users (show)

See Also:
Fixed In Version: openstack-selinux-0.6.52-1.el7ost
Doc Type: Bug Fix
Doc Text:
Previously, Openvswitch was trying to create a tun socket, but SELinux prevented that. This update allows Openvswitch to create a tun socket, and as a result, Openvswitch now runs without failures.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-04-07 17:13:31 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
audit log (6.85 KB, text/plain)
2015-11-22 10:15 EST, Arie Bregman
no flags Details
audit log for openstack-selinux-0.6.46-1 (6.46 KB, text/plain)
2015-11-24 01:55 EST, Arie Bregman
no flags Details
audit.log with settings to permissive before running tests (787.81 KB, text/plain)
2015-11-24 14:39 EST, Arie Bregman
no flags Details
audit.log.1 with settings to permissive before running tests (6.00 MB, text/plain)
2015-11-24 14:57 EST, Arie Bregman
no flags Details
audit.log-12/01 (6.00 MB, text/plain)
2015-12-01 02:08 EST, Arie Bregman
no flags Details
audit.log-12.20 (4.48 MB, text/plain)
2015-12-20 05:28 EST, Arie Bregman
no flags Details

  None (edit)
Description Arie Bregman 2015-11-22 10:15:50 EST
Created attachment 1097535 [details]
audit log

Description of problem:
After starting neutron-server and openvswitch, selinux starts to deny different networking actions and ovs-vswitchd stops to work.

Version-Release number of selected component (if applicable):
openstack-selinux-0.6.45-1.el7ost.noarch
openvswitch-2.4.0-1.el7.x86_64
python-openvswitch-2.4.0-1.el7.noarch
openstack-neutron-openvswitch-7.0.0-4.el7ost.noarch

Steps to Reproduce:
1. Install rhos 8 with openvswitch

Actual results:
ovs-vswitchd dies suddenly. 

Expected results:
ovs-vswitchd should run all the time

Additional info:
Logs provided.
Comment 2 Arie Bregman 2015-11-24 01:55 EST
Created attachment 1098008 [details]
audit log for openstack-selinux-0.6.46-1
Comment 3 Arie Bregman 2015-11-24 01:56:39 EST
I tried the new package but I still have errors. Log attached.
Comment 4 Ryan Hallisey 2015-11-24 08:53:51 EST
Can you retest in permissive please? When you catch something in enforcing, go back and test in permissive because enforcing won't show all the AVCs that are breaking this.  I'll wait for those logs then build off that.
Comment 5 Arie Bregman 2015-11-24 14:39 EST
Created attachment 1098330 [details]
audit.log with settings to permissive before running tests

When setting to permissive and running tests everything is working fine.
Added log.
Comment 6 Arie Bregman 2015-11-24 14:57 EST
Created attachment 1098334 [details]
audit.log.1 with settings to permissive before running tests

Adding part 2 of latest log attached.
Comment 7 Arie Bregman 2015-11-26 04:12:05 EST
We still have fails. Logs attached.
Comment 8 Ryan Hallisey 2015-11-30 09:42:53 EST
allow openvswitch_t self:tun_socket create;
allow openvswitch_t tun_tap_device_t:chr_file open;

These 2 showed up.
Comment 10 Arie Bregman 2015-12-01 02:08 EST
Created attachment 1100728 [details]
audit.log-12/01
Comment 11 Arie Bregman 2015-12-01 02:09:32 EST
Still fails.
Log attached.
Comment 12 Arie Bregman 2015-12-20 05:28 EST
Created attachment 1107937 [details]
audit.log-12.20

Log attached.

Seems like it still doesn't work when selinux is set on Enforcing.
Comment 13 Ryan Hallisey 2016-01-05 12:44:31 EST
There are no AVCs in that log.  Can you run in permissive and see if anything pops up?
Comment 14 Lon Hohberger 2016-01-06 08:18:49 EST
Beware the dontaudit rules, too.
Comment 15 Miroslav Grepl 2016-01-07 05:06:14 EST
(In reply to Lon Hohberger from comment #14)
> Beware the dontaudit rules, too.

I would go with

# semodule -DB
# setenforce 0

re-test and

# ausearch -m avc,user_avc,selinux_err -ts recent
Comment 17 Ryan Hallisey 2016-01-07 11:15:38 EST
Can you test again with what Mirek suggested?
  
# semodule -DB
# setenforce 0

I still only see USER_AVCs.  The real denial is not coming up yet.
Comment 19 Ryan Hallisey 2016-01-13 13:33:23 EST
#!!!! This avc has a dontaudit rule in the current policy
allow openvswitch_t ovsdb_port_t:tcp_socket name_bind;

buried as a dontaudit rule.  This looks like a culprit.
Comment 21 Arie Bregman 2016-01-17 02:04:23 EST
The latest package fixed the issues for me. Everything works as expected now.
Comment 23 Alexander Stafeyev 2016-01-25 07:05:02 EST
(In reply to Arie Bregman from comment #21)
> The latest package fixed the issues for me. Everything works as expected now.

What are the reproduction steps for verification ? HA environment ? 

Tnx
Comment 24 Arie Bregman 2016-01-25 07:25:18 EST
(In reply to Alexander Stafeyev from comment #23)
> (In reply to Arie Bregman from comment #21)
> > The latest package fixed the issues for me. Everything works as expected now.
> 
> What are the reproduction steps for verification ? HA environment ? 
> 
> Tnx

1. Deploy RHOS8
2. Test creation of networking resources - network port and subnet.
3. Create instances in different networks and a router. Verify connectivity between the instances. 
4. Run tests (tempest/functional) 

No need deploy HA environment.
Comment 25 Alexander Stafeyev 2016-01-26 04:25:06 EST
there is connectivity between different network instances. 

[root@overcloud-controller-0 ~]# getenforce 
Enforcing
[root@overcloud-controller-0 ~]# sudo cat /var/log/audit/audit.log | grep den
[root@overcloud-controller-0 ~]# rpm -qa | grep openstack-sel
openstack-selinux-0.6.52-1.el7ost.noarch
[root@overcloud-controller-0 ~]#
Comment 26 errata-xmlrpc 2016-04-07 17:13:31 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0603.html

Note You need to log in before you can comment on or make changes to this bug.