Red Hat Bugzilla – Bug 1284268
Selinux is blocking ovs-vswitchd (openvswitch)
Last modified: 2016-04-07 17:13:31 EDT
Created attachment 1097535 [details]
Description of problem:
After starting neutron-server and openvswitch, selinux starts to deny different networking actions and ovs-vswitchd stops to work.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Install rhos 8 with openvswitch
ovs-vswitchd dies suddenly.
ovs-vswitchd should run all the time
Created attachment 1098008 [details]
audit log for openstack-selinux-0.6.46-1
I tried the new package but I still have errors. Log attached.
Can you retest in permissive please? When you catch something in enforcing, go back and test in permissive because enforcing won't show all the AVCs that are breaking this. I'll wait for those logs then build off that.
Created attachment 1098330 [details]
audit.log with settings to permissive before running tests
When setting to permissive and running tests everything is working fine.
Created attachment 1098334 [details]
audit.log.1 with settings to permissive before running tests
Adding part 2 of latest log attached.
We still have fails. Logs attached.
allow openvswitch_t self:tun_socket create;
allow openvswitch_t tun_tap_device_t:chr_file open;
These 2 showed up.
Created attachment 1100728 [details]
Created attachment 1107937 [details]
Seems like it still doesn't work when selinux is set on Enforcing.
There are no AVCs in that log. Can you run in permissive and see if anything pops up?
Beware the dontaudit rules, too.
(In reply to Lon Hohberger from comment #14)
> Beware the dontaudit rules, too.
I would go with
# semodule -DB
# setenforce 0
# ausearch -m avc,user_avc,selinux_err -ts recent
Can you test again with what Mirek suggested?
# semodule -DB
# setenforce 0
I still only see USER_AVCs. The real denial is not coming up yet.
#!!!! This avc has a dontaudit rule in the current policy
allow openvswitch_t ovsdb_port_t:tcp_socket name_bind;
buried as a dontaudit rule. This looks like a culprit.
The latest package fixed the issues for me. Everything works as expected now.
(In reply to Arie Bregman from comment #21)
> The latest package fixed the issues for me. Everything works as expected now.
What are the reproduction steps for verification ? HA environment ?
(In reply to Alexander Stafeyev from comment #23)
> (In reply to Arie Bregman from comment #21)
> > The latest package fixed the issues for me. Everything works as expected now.
> What are the reproduction steps for verification ? HA environment ?
1. Deploy RHOS8
2. Test creation of networking resources - network port and subnet.
3. Create instances in different networks and a router. Verify connectivity between the instances.
4. Run tests (tempest/functional)
No need deploy HA environment.
there is connectivity between different network instances.
[root@overcloud-controller-0 ~]# getenforce
[root@overcloud-controller-0 ~]# sudo cat /var/log/audit/audit.log | grep den
[root@overcloud-controller-0 ~]# rpm -qa | grep openstack-sel
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.