Description of problem: Since Liberty, Neutron allows to use Ryu local node controller to program OVSDB switches. This is enabled with of_interface = native in openvswitch_agent.ini file. The native interface became default in Newton. When I try to run the OVS agent with the native interface enabled, I get the following AVC denials: type=AVC msg=audit(1468946225.187:10125): avc: denied { name_bind } for pid=18325 comm="neutron-openvsw" src=6633 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:openflow_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1468946228.093:10129): avc: denied { rlimitinh } for pid=18345 comm="iptables-save" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process type=AVC msg=audit(1468946228.093:10129): avc: denied { siginh } for pid=18345 comm="iptables-save" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process type=AVC msg=audit(1468946228.093:10129): avc: denied { noatsecure } for pid=18345 comm="iptables-save" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process For the sake of the bug, only the first AVC is relevant. In agent logs, the following traceback is seen: 2016-07-19 17:57:19.310 20533 ERROR ryu.lib.hub [-] hub: uncaught exception: Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ryu/lib/hub.py", line 52, in _launch func(*args, **kwargs) File "/usr/lib/python2.7/site-packages/ryu/controller/controller.py", line 72, in __call__ self.server_loop() File "/usr/lib/python2.7/site-packages/ryu/controller/controller.py", line 97, in server_loop datapath_connection_factory) File "/usr/lib/python2.7/site-packages/ryu/lib/hub.py", line 108, in __init__ self.server = eventlet.listen(listen_info) File "/usr/lib/python2.7/site-packages/eventlet/convenience.py", line 43, in listen sock.bind(addr) File "/usr/lib64/python2.7/socket.py", line 224, in meth return getattr(self._sock,name)(*args) error: [Errno 13] Permission denied The result of the bug is that the switch won't get any flow updates since ryu controller that is supposed to program the switch fails to open the port for the switch to connect to. Version-Release number of selected component (if applicable): openstack-neutron-openvswitch-9.0.0-0.20160718211657.ca57c9f.el7.centos.noarch openstack-selinux-0.7.2-1.el7.noarch How reproducible: always. Steps to Reproduce: 1. set of_interface = native in openvswitch_agent.ini 2. systemctl restart neutron-openvswitch-agent 3. observe logs. Actual results: traceback in agent log file, AVC in audit.log. Expected results: logs are clean, flows are updated. Additional info: Note that while the bug hit RDO gate in Newton only, it affects Neutron starting from Liberty. It's just that till Newton, the native interface was not enabled by default, so we have not caught it in time.
type=AVC msg=audit(1468946225.187:10125): avc: denied { name_bind } for pid=18325 comm="neutron-openvsw" src=6633 scontext=system_u:system_r:neutron_t:s0 This is the only one we need policy for I think. The other don't seem like they are breaking anything.
Built and tagged in the context of RDO Newton: https://cbs.centos.org/koji/buildinfo?buildID=11605
Fixed last year so closing.