1433432 – Upgrading OSP9 to OSP10 with OVS2.6 produces AVCs denied ovs-vsctl in audit.log .

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1433432 - Upgrading OSP9 to OSP10 with OVS2.6 produces AVCs denied ovs-vsctl in audit.log .

Summary: Upgrading OSP9 to OSP10 with OVS2.6 produces AVCs denied ovs-vsctl in audit.l...

Keywords:
Status:	CLOSED DUPLICATE of bug 1417164
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.3
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	pre-dev-freeze
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1408224
TreeView+	depends on / blocked

Reported:	2017-03-17 16:00 UTC by Omri Hochman
Modified:	2017-03-24 06:18 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-03-23 17:39:00 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
audit.log (3.94 MB, text/plain) 2017-03-17 16:00 UTC, Omri Hochman	no flags	Details
View All

Description Omri Hochman 2017-03-17 16:00:29 UTC

Created attachment 1264128 [details]
audit.log

Upgrading OSP9 to OSP10 with OVS2.6 produces AVCs denied ovs-vsctl in audit.log .

Environment: 
-------------
python-openvswitch-2.6.1-10.git20161206.el7fdp.noarch
openstack-neutron-openvswitch-9.2.0-2.el7ost.noarch
openstack-neutron-openvswitch-8.3.0-3.el7ost.noarch
openvswitch-2.6.1-10.git20161206.el7fdp.x86_64


Description : 
------------
After deployment of Openstack using Director (OSP-9),  we attempted to enable the repo that provides OVS2.6  and ran major-Upgrade from OSP9 to --> OSP10 , when Upgrade finished, I noticed that there are AVCs messages .   

We couldn't found any "side-effects" or bad behavior that caused by those messages. 


var/log/audit/audit.log  ( Attached on the controller ) 
-----------------------------------------------
type=AVC msg=audit(1489696884.115:42): avc:  denied  { search } for  pid=1387 comm="ovs-vsctl" name="1360" dev="proc" ino=19827 scontext=system_u:system_r:
openvswitch_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir
type=SYSCALL msg=audit(1489696884.115:42): arch=c000003e syscall=2 success=no exit=-13 a0=7fa12096f580 a1=0 a2=1b6 a3=24 items=0 ppid=1360 pid=1387 auid=42
94967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ovs-vsctl" exe="/usr/bin/ovs-vsctl" subj=system_u:system_r
:openvswitch_t:s0 key=(null)
type=ANOM_PROMISCUOUS msg=audit(1489696884.121:43): dev=vlan20 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295
type=SYSCALL msg=audit(1489696884.121:43): arch=c000003e syscall=46 success=yes exit=56 a0=10 a1=7ffe120cef70 a2=0 a3=40 items=0 ppid=1 pid=812 auid=429496
7295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ovs-vswitchd" exe="/usr/sbin/ovs-vswitchd" subj=system_u:syste
m_r:openvswitch_t:s0 key=(null)
type=AVC msg=audit(1489696890.179:44): avc:  denied  { search } for  pid=1520 comm="ovs-vsctl" name="1493" dev="proc" ino=19988 scontext=system_u:system_r:
openvswitch_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir
type=SYSCALL msg=audit(1489696890.179:44): arch=c000003e syscall=2 success=no exit=-13 a0=7f92c6b7ae40 a1=0 a2=1b6 a3=24 items=0 ppid=1493 pid=1520 auid=42
94967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ovs-vsctl" exe="/usr/bin/ovs-vsctl" subj=system_u:system_r
:openvswitch_t:s0 key=(null)
type=AVC msg=audit(1489696890.186:45): avc:  denied  { search } for  pid=1521 comm="ovs-vsctl" name="1493" dev="proc" ino=19988 scontext=system_u:system_r:
openvswitch_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir
type=SYSCALL msg=audit(1489696890.186:45): arch=c000003e syscall=2 success=no exit=-13 a0=7f355f163c30 a1=0 a2=1b6 a3=24 items=0 ppid=1493 pid=1521 auid=42
94967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ovs-vsctl" exe="/usr/bin/ovs-vsctl" subj=system_u:system_r
:openvswitch_t:s0 key=(null)
type=ANOM_PROMISCUOUS msg=audit(1489696890.192:46): dev=vlan30 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295
type=SYSCALL msg=audit(1489696890.192:46): arch=c000003e syscall=46 success=yes exit=56 a0=10 a1=7ffe120cef70 a2=0 a3=40 items=0 ppid=1 pid=812 auid=429496
7295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ovs-vswitchd" exe="/usr/sbin/ovs-vswitchd" subj=system_u:syste
m_r:openvswitch_t:s0 key=(null)
type=AVC msg=audit(1489696896.646:47): avc:  denied  { search } for  pid=1648 comm="ovs-vsctl" name="1621" dev="proc" ino=20057 scontext=system_u:system_r:
openvswitch_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir
type=SYSCALL msg=audit(1489696896.646:47): arch=c000003e syscall=2 success=no exit=-13 a0=7f7e1aaabad0 a1=0 a2=1b6 a3=24 items=0 ppid=1621 pid=1648 auid=42
94967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ovs-vsctl" exe="/usr/bin/ovs-vsctl" subj=system_u:system_r
:openvswitch_t:s0 key=(null)

Comment 1 Flavio Leitner 2017-03-17 17:21:56 UTC

These were fixed already, are you sure you have latest selinux-policy?
Please try the fixed package from https://bugzilla.redhat.com/show_bug.cgi?id=1430751

That is the latest bug which should include the fix for the reported issues plus the next one you will find :-)

Comment 2 Omri Hochman 2017-03-20 16:19:06 UTC

(In reply to Flavio Leitner from comment #1)
> These were fixed already, are you sure you have latest selinux-policy?
> Please try the fixed package from
> https://bugzilla.redhat.com/show_bug.cgi?id=1430751
> 
> That is the latest bug which should include the fix for the reported issues
> plus the next one you will find :-)


hi flavio :  the issue occurred with the latest OSP10  ( upgraded from OSP9 ) 
so that was the current SELinux  package released in osp10 .


[root@instack ~]# rpm -qa | grep selinux
openstack-selinux-0.8.5-1.el7ost.noarch
libselinux-2.5-6.el7.x86_64
libselinux-ruby-2.5-6.el7.x86_64
libselinux-python-2.5-6.el7.x86_64
libselinux-utils-2.5-6.el7.x86_64
selinux-policy-3.13.1-102.el7_3.15.noarch
selinux-policy-targeted-3.13.1-102.el7_3.15.noarch

Comment 7 Assaf Muller 2017-03-23 17:39:00 UTC


*** This bug has been marked as a duplicate of bug 1417164 ***

Note You need to log in before you can comment on or make changes to this bug.