Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1433432

Summary: Upgrading OSP9 to OSP10 with OVS2.6 produces AVCs denied ovs-vsctl in audit.log .
Product: Red Hat Enterprise Linux 7 Reporter: Omri Hochman <ohochman>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: amuller, apevec, chrisw, lvrabec, mburns, mgrepl, mmalik, oblaut, ohochman, plautrba, pvrabec, rhos-maint, srevivo, ssekidde
Target Milestone: pre-dev-freeze   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-23 17:39:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1408224    
Attachments:
Description Flags
audit.log none

Description Omri Hochman 2017-03-17 16:00:29 UTC 
Created attachment 1264128 [details]
audit.log

Upgrading OSP9 to OSP10 with OVS2.6 produces AVCs denied ovs-vsctl in audit.log .

Environment: 
-------------
python-openvswitch-2.6.1-10.git20161206.el7fdp.noarch
openstack-neutron-openvswitch-9.2.0-2.el7ost.noarch
openstack-neutron-openvswitch-8.3.0-3.el7ost.noarch
openvswitch-2.6.1-10.git20161206.el7fdp.x86_64


Description : 
------------
After deployment of Openstack using Director (OSP-9),  we attempted to enable the repo that provides OVS2.6  and ran major-Upgrade from OSP9 to --> OSP10 , when Upgrade finished, I noticed that there are AVCs messages .   

We couldn't found any "side-effects" or bad behavior that caused by those messages. 


var/log/audit/audit.log  ( Attached on the controller ) 
-----------------------------------------------
type=AVC msg=audit(1489696884.115:42): avc:  denied  { search } for  pid=1387 comm="ovs-vsctl" name="1360" dev="proc" ino=19827 scontext=system_u:system_r:
openvswitch_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir
type=SYSCALL msg=audit(1489696884.115:42): arch=c000003e syscall=2 success=no exit=-13 a0=7fa12096f580 a1=0 a2=1b6 a3=24 items=0 ppid=1360 pid=1387 auid=42
94967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ovs-vsctl" exe="/usr/bin/ovs-vsctl" subj=system_u:system_r
:openvswitch_t:s0 key=(null)
type=ANOM_PROMISCUOUS msg=audit(1489696884.121:43): dev=vlan20 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295
type=SYSCALL msg=audit(1489696884.121:43): arch=c000003e syscall=46 success=yes exit=56 a0=10 a1=7ffe120cef70 a2=0 a3=40 items=0 ppid=1 pid=812 auid=429496
7295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ovs-vswitchd" exe="/usr/sbin/ovs-vswitchd" subj=system_u:syste
m_r:openvswitch_t:s0 key=(null)
type=AVC msg=audit(1489696890.179:44): avc:  denied  { search } for  pid=1520 comm="ovs-vsctl" name="1493" dev="proc" ino=19988 scontext=system_u:system_r:
openvswitch_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir
type=SYSCALL msg=audit(1489696890.179:44): arch=c000003e syscall=2 success=no exit=-13 a0=7f92c6b7ae40 a1=0 a2=1b6 a3=24 items=0 ppid=1493 pid=1520 auid=42
94967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ovs-vsctl" exe="/usr/bin/ovs-vsctl" subj=system_u:system_r
:openvswitch_t:s0 key=(null)
type=AVC msg=audit(1489696890.186:45): avc:  denied  { search } for  pid=1521 comm="ovs-vsctl" name="1493" dev="proc" ino=19988 scontext=system_u:system_r:
openvswitch_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir
type=SYSCALL msg=audit(1489696890.186:45): arch=c000003e syscall=2 success=no exit=-13 a0=7f355f163c30 a1=0 a2=1b6 a3=24 items=0 ppid=1493 pid=1521 auid=42
94967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ovs-vsctl" exe="/usr/bin/ovs-vsctl" subj=system_u:system_r
:openvswitch_t:s0 key=(null)
type=ANOM_PROMISCUOUS msg=audit(1489696890.192:46): dev=vlan30 prom=256 old_prom=0 auid=4294967295 uid=0 gid=0 ses=4294967295
type=SYSCALL msg=audit(1489696890.192:46): arch=c000003e syscall=46 success=yes exit=56 a0=10 a1=7ffe120cef70 a2=0 a3=40 items=0 ppid=1 pid=812 auid=429496
7295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ovs-vswitchd" exe="/usr/sbin/ovs-vswitchd" subj=system_u:syste
m_r:openvswitch_t:s0 key=(null)
type=AVC msg=audit(1489696896.646:47): avc:  denied  { search } for  pid=1648 comm="ovs-vsctl" name="1621" dev="proc" ino=20057 scontext=system_u:system_r:
openvswitch_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir
type=SYSCALL msg=audit(1489696896.646:47): arch=c000003e syscall=2 success=no exit=-13 a0=7f7e1aaabad0 a1=0 a2=1b6 a3=24 items=0 ppid=1621 pid=1648 auid=42
94967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ovs-vsctl" exe="/usr/bin/ovs-vsctl" subj=system_u:system_r
:openvswitch_t:s0 key=(null)
Comment 1 Flavio Leitner 2017-03-17 17:21:56 UTC 
These were fixed already, are you sure you have latest selinux-policy?
Please try the fixed package from https://bugzilla.redhat.com/show_bug.cgi?id=1430751

That is the latest bug which should include the fix for the reported issues plus the next one you will find :-)
Comment 2 Omri Hochman 2017-03-20 16:19:06 UTC 
(In reply to Flavio Leitner from comment #1)
> These were fixed already, are you sure you have latest selinux-policy?
> Please try the fixed package from
> https://bugzilla.redhat.com/show_bug.cgi?id=1430751
> 
> That is the latest bug which should include the fix for the reported issues
> plus the next one you will find :-)


hi flavio :  the issue occurred with the latest OSP10  ( upgraded from OSP9 ) 
so that was the current SELinux  package released in osp10 .


[root@instack ~]# rpm -qa | grep selinux
openstack-selinux-0.8.5-1.el7ost.noarch
libselinux-2.5-6.el7.x86_64
libselinux-ruby-2.5-6.el7.x86_64
libselinux-python-2.5-6.el7.x86_64
libselinux-utils-2.5-6.el7.x86_64
selinux-policy-3.13.1-102.el7_3.15.noarch
selinux-policy-targeted-3.13.1-102.el7_3.15.noarch
Comment 7 Assaf Muller 2017-03-23 17:39:00 UTC 

*** This bug has been marked as a duplicate of bug 1417164 ***