RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1418351 - "ovs-vsctl: Error detected while setting up" message asserts using ovs-vsctl 2.6.1.3 with Pegas kernel 4.9.0-6.el7.x86_64
Summary: "ovs-vsctl: Error detected while setting up" message asserts using ovs-vsctl ...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.4-Alt
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-01 15:41 UTC by Rick Alongi
Modified: 2017-04-10 13:41 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-04-10 13:41:49 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
ovs-vswitchd.log (deleted)
2017-02-01 15:41 UTC, Rick Alongi 		no flags Details
ovsdb-server.log (359 bytes, text/plain)
2017-02-01 15:42 UTC, Rick Alongi 		no flags Details
View All

Description Rick Alongi 2017-02-01 15:41:47 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
Kernel: 4.9.0-6.el7.x86_64
openvswitch: openvswitch-2.6.1-3.git20161206.el7fdb.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Provision system with Pegas (Kernel: 4.9.0-6.el7.x86_64)

2. rpm -ivh http://download-node-02.eng.bos.redhat.com/brewroot/packages/openvswitch/2.6.1/3.git20161206.el7fdb/x86_64/openvswitch-2.6.1-3.git20161206.el7fdb.x86_64.rpm

3. systemctl start openvswitch.service

4. See below

[root@netqe13 openvswitch]# ovs-vsctl add-br ovsbr0
ovs-vsctl: Error detected while setting up 'ovsbr0'.  See ovs-vswitchd log for details.

[root@netqe13 openvswitch]# ovs-vsctl add-port ovsbr0 p2p1
ovs-vsctl: Error detected while setting up 'p2p1'.  See ovs-vswitchd log for details.

[root@netqe13 openvswitch]# ovs-vsctl add-port ovsbr0 intport0 -- set interface intport0 type=internal
ovs-vsctl: Error detected while setting up 'intport0'.  See ovs-vswitchd log for details.


[root@netqe13 openvswitch]# ovs-vsctl show
124678b6-403a-4a2e-9160-281ad1bb1489
    Bridge "ovsbr0"
        Port "ovsbr0"
            Interface "ovsbr0"
                type: internal
        Port "intport0"
            Interface "intport0"
                type: internal
        Port "p2p1"
            Interface "p2p1"
    ovs_version: "2.6.1"
[root@netqe13 openvswitch]# ip l l | grep intport
[root@netqe13 openvswitch]# 

Actual results:
Error message observed when attempting to create an OVS bridge and add ports to it.  Port(s) not reported via "ip link list" but do show up in "ovs-vsctl show" output.

Expected results:
OVS bridge and ports are successfully created


Additional info:
This problem is not observed using same openvswitch package with RHEL 7.3 kernel 3.10.0-514.el7.x86_64.

ovs-vswitchd.log reports "Permission denied" errors.  I did not observe any related SELinux messages in /var/log/audit/audit.log and error asserted whether SELinux was set to Enforcing or Permissive.

ovs-vswitchd.log and ovsdb-server.log files attached.  

sosreport located here: http://netqe-infra01.knqe.lab.eng.bos.redhat.com/sosreports/sosreport-ralongi-20170201101144.tar.xz
Comment 1 Rick Alongi 2017-02-01 15:42:37 UTC 
Created attachment 1246695 [details]
ovsdb-server.log
Comment 3 Rick Alongi 2017-02-01 16:01:15 UTC 
Permissions should be all set now.

Thanks,
Rick
Comment 4 Aaron Conole 2017-02-01 18:13:07 UTC 
Looks like there are a bunch of selinux issues for ovs-vswitchd to even get the netlink socket.  Can you just check if disabling selinux before starting ovs makes a difference?  If so, it would point to a problem with the way your pegas system got the selinux policies.
Comment 7 Milos Malik 2017-02-01 19:31:16 UTC 
I believe this bug is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1397974
Comment 8 Milos Malik 2017-02-01 20:03:26 UTC 
Please ignore the comment#7. This bug looks more like https://bugzilla.redhat.com/show_bug.cgi?id=1405479.

Caught in enforcing mode:
----
type=PROCTITLE msg=audit(02/01/2017 20:59:50.902:380) : proctitle=/bin/sh /usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd --no-monitor --system-id=random start 
type=PATH msg=audit(02/01/2017 20:59:50.902:380) : item=0 name=/bin/hostname inode=25225764 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:hostname_exec_t:s0 nametype=NORMAL 
type=CWD msg=audit(02/01/2017 20:59:50.902:380) : cwd=/ 
type=SYSCALL msg=audit(02/01/2017 20:59:50.902:380) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x10471f0 a1=0x7fffe0445210 a2=0x7fffe0445210 a3=0xb items=1 ppid=15175 pid=15220 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ovs-ctl exe=/usr/bin/bash subj=system_u:system_r:openvswitch_t:s0 key=(null) 
type=AVC msg=audit(02/01/2017 20:59:50.902:380) : avc:  denied  { getattr } for  pid=15220 comm=ovs-ctl path=/usr/bin/hostname dev="vda2" ino=25225764 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0 
----

Caught in permissive mode:
----
type=PROCTITLE msg=audit(02/01/2017 21:00:42.392:397) : proctitle=/bin/sh /usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd --no-monitor --system-id=random start 
type=PATH msg=audit(02/01/2017 21:00:42.392:397) : item=0 name=/bin/hostname inode=25225764 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:hostname_exec_t:s0 nametype=NORMAL 
type=CWD msg=audit(02/01/2017 21:00:42.392:397) : cwd=/ 
type=SYSCALL msg=audit(02/01/2017 21:00:42.392:397) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x25c5440 a1=0x7ffd69702160 a2=0x7ffd69702160 a3=0xb items=1 ppid=15368 pid=15403 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ovs-ctl exe=/usr/bin/bash subj=system_u:system_r:openvswitch_t:s0 key=(null) 
type=AVC msg=audit(02/01/2017 21:00:42.392:397) : avc:  denied  { getattr } for  pid=15403 comm=ovs-ctl path=/usr/bin/hostname dev="vda2" ino=25225764 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(02/01/2017 21:00:42.392:398) : proctitle=/bin/sh /usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd --no-monitor --system-id=random start 
type=PATH msg=audit(02/01/2017 21:00:42.392:398) : item=0 name=/bin/hostname inode=25225764 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:hostname_exec_t:s0 nametype=NORMAL 
type=CWD msg=audit(02/01/2017 21:00:42.392:398) : cwd=/ 
type=SYSCALL msg=audit(02/01/2017 21:00:42.392:398) : arch=x86_64 syscall=access success=yes exit=0 a0=0x25c5440 a1=X_OK a2=0x7ffd69702090 a3=0xb items=1 ppid=15368 pid=15403 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ovs-ctl exe=/usr/bin/bash subj=system_u:system_r:openvswitch_t:s0 key=(null) 
type=AVC msg=audit(02/01/2017 21:00:42.392:398) : avc:  denied  { execute } for  pid=15403 comm=ovs-ctl name=hostname dev="vda2" ino=25225764 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(02/01/2017 21:00:42.392:399) : proctitle=/bin/sh /usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd --no-monitor --system-id=random start 
type=PATH msg=audit(02/01/2017 21:00:42.392:399) : item=0 name=/bin/hostname inode=25225764 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:hostname_exec_t:s0 nametype=NORMAL 
type=CWD msg=audit(02/01/2017 21:00:42.392:399) : cwd=/ 
type=SYSCALL msg=audit(02/01/2017 21:00:42.392:399) : arch=x86_64 syscall=access success=yes exit=0 a0=0x25c5440 a1=R_OK a2=0x7ffd69702090 a3=0xb items=1 ppid=15368 pid=15403 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ovs-ctl exe=/usr/bin/bash subj=system_u:system_r:openvswitch_t:s0 key=(null) 
type=AVC msg=audit(02/01/2017 21:00:42.392:399) : avc:  denied  { read } for  pid=15403 comm=ovs-ctl name=hostname dev="vda2" ino=25225764 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(02/01/2017 21:00:42.392:400) : proctitle=/bin/sh /usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd --no-monitor --system-id=random start 
type=PATH msg=audit(02/01/2017 21:00:42.392:400) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=1416308 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL 
type=PATH msg=audit(02/01/2017 21:00:42.392:400) : item=0 name=/bin/hostname inode=25225764 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:hostname_exec_t:s0 nametype=NORMAL 
type=CWD msg=audit(02/01/2017 21:00:42.392:400) : cwd=/ 
type=EXECVE msg=audit(02/01/2017 21:00:42.392:400) : argc=2 a0=hostname a1=-f 
type=SYSCALL msg=audit(02/01/2017 21:00:42.392:400) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x25c5440 a1=0x25c6890 a2=0x25bdaf0 a3=0x7ffd69702000 items=2 ppid=15368 pid=15403 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=hostname exe=/usr/bin/hostname subj=system_u:system_r:openvswitch_t:s0 key=(null) 
type=AVC msg=audit(02/01/2017 21:00:42.392:400) : avc:  denied  { execute_no_trans } for  pid=15403 comm=ovs-ctl path=/usr/bin/hostname dev="vda2" ino=25225764 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1 
type=AVC msg=audit(02/01/2017 21:00:42.392:400) : avc:  denied  { open } for  pid=15403 comm=ovs-ctl path=/usr/bin/hostname dev="vda2" ino=25225764 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1 
----
Comment 10 Milos Malik 2017-03-02 19:32:42 UTC 
The /var/log/audit/audit.log file, which is bundled in the sosreport file (URL taken from comment#0), contains 2 kinds of SELinux denials:
* first are related to /usr/bin/hostname (already addressed in BZ#1405479)
* second are related to netlink_generic_socket (already addressed in BZ#1397974)

This bug can be closed as a duplicate, because it mixes symptoms of both above-mentioned bugs.
Comment 11 Lukas Vrabec 2017-04-10 13:41:49 UTC 
Fixed here:
https://github.com/redhat-openstack/openstack-selinux
Note You need to log in before you can comment on or make changes to this bug.