Bug 1418351 - "ovs-vsctl: Error detected while setting up" message asserts using ovs-vsctl 2.6.1.3 with Pegas kernel 4.9.0-6.el7.x86_64
Summary: "ovs-vsctl: Error detected while setting up" message asserts using ovs-vsctl ...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.4-Alt
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-01 15:41 UTC by Rick Alongi
Modified: 2017-04-10 13:41 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-04-10 13:41:49 UTC
Target Upstream Version:


Attachments (Terms of Use)
ovs-vswitchd.log (deleted)
2017-02-01 15:41 UTC, Rick Alongi
no flags Details
ovsdb-server.log (359 bytes, text/plain)
2017-02-01 15:42 UTC, Rick Alongi
no flags Details

Description Rick Alongi 2017-02-01 15:41:47 UTC
Description of problem:


Version-Release number of selected component (if applicable):
Kernel: 4.9.0-6.el7.x86_64
openvswitch: openvswitch-2.6.1-3.git20161206.el7fdb.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Provision system with Pegas (Kernel: 4.9.0-6.el7.x86_64)

2. rpm -ivh http://download-node-02.eng.bos.redhat.com/brewroot/packages/openvswitch/2.6.1/3.git20161206.el7fdb/x86_64/openvswitch-2.6.1-3.git20161206.el7fdb.x86_64.rpm

3. systemctl start openvswitch.service

4. See below

[root@netqe13 openvswitch]# ovs-vsctl add-br ovsbr0
ovs-vsctl: Error detected while setting up 'ovsbr0'.  See ovs-vswitchd log for details.

[root@netqe13 openvswitch]# ovs-vsctl add-port ovsbr0 p2p1
ovs-vsctl: Error detected while setting up 'p2p1'.  See ovs-vswitchd log for details.

[root@netqe13 openvswitch]# ovs-vsctl add-port ovsbr0 intport0 -- set interface intport0 type=internal
ovs-vsctl: Error detected while setting up 'intport0'.  See ovs-vswitchd log for details.


[root@netqe13 openvswitch]# ovs-vsctl show
124678b6-403a-4a2e-9160-281ad1bb1489
    Bridge "ovsbr0"
        Port "ovsbr0"
            Interface "ovsbr0"
                type: internal
        Port "intport0"
            Interface "intport0"
                type: internal
        Port "p2p1"
            Interface "p2p1"
    ovs_version: "2.6.1"
[root@netqe13 openvswitch]# ip l l | grep intport
[root@netqe13 openvswitch]# 

Actual results:
Error message observed when attempting to create an OVS bridge and add ports to it.  Port(s) not reported via "ip link list" but do show up in "ovs-vsctl show" output.

Expected results:
OVS bridge and ports are successfully created


Additional info:
This problem is not observed using same openvswitch package with RHEL 7.3 kernel 3.10.0-514.el7.x86_64.

ovs-vswitchd.log reports "Permission denied" errors.  I did not observe any related SELinux messages in /var/log/audit/audit.log and error asserted whether SELinux was set to Enforcing or Permissive.

ovs-vswitchd.log and ovsdb-server.log files attached.  

sosreport located here: http://netqe-infra01.knqe.lab.eng.bos.redhat.com/sosreports/sosreport-ralongi-20170201101144.tar.xz

Comment 1 Rick Alongi 2017-02-01 15:42:37 UTC
Created attachment 1246695 [details]
ovsdb-server.log

Comment 3 Rick Alongi 2017-02-01 16:01:15 UTC
Permissions should be all set now.

Thanks,
Rick

Comment 4 Aaron Conole 2017-02-01 18:13:07 UTC
Looks like there are a bunch of selinux issues for ovs-vswitchd to even get the netlink socket.  Can you just check if disabling selinux before starting ovs makes a difference?  If so, it would point to a problem with the way your pegas system got the selinux policies.

Comment 7 Milos Malik 2017-02-01 19:31:16 UTC
I believe this bug is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1397974

Comment 8 Milos Malik 2017-02-01 20:03:26 UTC
Please ignore the comment#7. This bug looks more like https://bugzilla.redhat.com/show_bug.cgi?id=1405479.

Caught in enforcing mode:
----
type=PROCTITLE msg=audit(02/01/2017 20:59:50.902:380) : proctitle=/bin/sh /usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd --no-monitor --system-id=random start 
type=PATH msg=audit(02/01/2017 20:59:50.902:380) : item=0 name=/bin/hostname inode=25225764 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:hostname_exec_t:s0 nametype=NORMAL 
type=CWD msg=audit(02/01/2017 20:59:50.902:380) : cwd=/ 
type=SYSCALL msg=audit(02/01/2017 20:59:50.902:380) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x10471f0 a1=0x7fffe0445210 a2=0x7fffe0445210 a3=0xb items=1 ppid=15175 pid=15220 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ovs-ctl exe=/usr/bin/bash subj=system_u:system_r:openvswitch_t:s0 key=(null) 
type=AVC msg=audit(02/01/2017 20:59:50.902:380) : avc:  denied  { getattr } for  pid=15220 comm=ovs-ctl path=/usr/bin/hostname dev="vda2" ino=25225764 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0 
----

Caught in permissive mode:
----
type=PROCTITLE msg=audit(02/01/2017 21:00:42.392:397) : proctitle=/bin/sh /usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd --no-monitor --system-id=random start 
type=PATH msg=audit(02/01/2017 21:00:42.392:397) : item=0 name=/bin/hostname inode=25225764 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:hostname_exec_t:s0 nametype=NORMAL 
type=CWD msg=audit(02/01/2017 21:00:42.392:397) : cwd=/ 
type=SYSCALL msg=audit(02/01/2017 21:00:42.392:397) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x25c5440 a1=0x7ffd69702160 a2=0x7ffd69702160 a3=0xb items=1 ppid=15368 pid=15403 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ovs-ctl exe=/usr/bin/bash subj=system_u:system_r:openvswitch_t:s0 key=(null) 
type=AVC msg=audit(02/01/2017 21:00:42.392:397) : avc:  denied  { getattr } for  pid=15403 comm=ovs-ctl path=/usr/bin/hostname dev="vda2" ino=25225764 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(02/01/2017 21:00:42.392:398) : proctitle=/bin/sh /usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd --no-monitor --system-id=random start 
type=PATH msg=audit(02/01/2017 21:00:42.392:398) : item=0 name=/bin/hostname inode=25225764 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:hostname_exec_t:s0 nametype=NORMAL 
type=CWD msg=audit(02/01/2017 21:00:42.392:398) : cwd=/ 
type=SYSCALL msg=audit(02/01/2017 21:00:42.392:398) : arch=x86_64 syscall=access success=yes exit=0 a0=0x25c5440 a1=X_OK a2=0x7ffd69702090 a3=0xb items=1 ppid=15368 pid=15403 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ovs-ctl exe=/usr/bin/bash subj=system_u:system_r:openvswitch_t:s0 key=(null) 
type=AVC msg=audit(02/01/2017 21:00:42.392:398) : avc:  denied  { execute } for  pid=15403 comm=ovs-ctl name=hostname dev="vda2" ino=25225764 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(02/01/2017 21:00:42.392:399) : proctitle=/bin/sh /usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd --no-monitor --system-id=random start 
type=PATH msg=audit(02/01/2017 21:00:42.392:399) : item=0 name=/bin/hostname inode=25225764 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:hostname_exec_t:s0 nametype=NORMAL 
type=CWD msg=audit(02/01/2017 21:00:42.392:399) : cwd=/ 
type=SYSCALL msg=audit(02/01/2017 21:00:42.392:399) : arch=x86_64 syscall=access success=yes exit=0 a0=0x25c5440 a1=R_OK a2=0x7ffd69702090 a3=0xb items=1 ppid=15368 pid=15403 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ovs-ctl exe=/usr/bin/bash subj=system_u:system_r:openvswitch_t:s0 key=(null) 
type=AVC msg=audit(02/01/2017 21:00:42.392:399) : avc:  denied  { read } for  pid=15403 comm=ovs-ctl name=hostname dev="vda2" ino=25225764 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(02/01/2017 21:00:42.392:400) : proctitle=/bin/sh /usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd --no-monitor --system-id=random start 
type=PATH msg=audit(02/01/2017 21:00:42.392:400) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=1416308 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL 
type=PATH msg=audit(02/01/2017 21:00:42.392:400) : item=0 name=/bin/hostname inode=25225764 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:hostname_exec_t:s0 nametype=NORMAL 
type=CWD msg=audit(02/01/2017 21:00:42.392:400) : cwd=/ 
type=EXECVE msg=audit(02/01/2017 21:00:42.392:400) : argc=2 a0=hostname a1=-f 
type=SYSCALL msg=audit(02/01/2017 21:00:42.392:400) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x25c5440 a1=0x25c6890 a2=0x25bdaf0 a3=0x7ffd69702000 items=2 ppid=15368 pid=15403 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=hostname exe=/usr/bin/hostname subj=system_u:system_r:openvswitch_t:s0 key=(null) 
type=AVC msg=audit(02/01/2017 21:00:42.392:400) : avc:  denied  { execute_no_trans } for  pid=15403 comm=ovs-ctl path=/usr/bin/hostname dev="vda2" ino=25225764 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1 
type=AVC msg=audit(02/01/2017 21:00:42.392:400) : avc:  denied  { open } for  pid=15403 comm=ovs-ctl path=/usr/bin/hostname dev="vda2" ino=25225764 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1 
----

Comment 10 Milos Malik 2017-03-02 19:32:42 UTC
The /var/log/audit/audit.log file, which is bundled in the sosreport file (URL taken from comment#0), contains 2 kinds of SELinux denials:
* first are related to /usr/bin/hostname (already addressed in BZ#1405479)
* second are related to netlink_generic_socket (already addressed in BZ#1397974)

This bug can be closed as a duplicate, because it mixes symptoms of both above-mentioned bugs.

Comment 11 Lukas Vrabec 2017-04-10 13:41:49 UTC
Fixed here:
https://github.com/redhat-openstack/openstack-selinux


Note You need to log in before you can comment on or make changes to this bug.