Description of problem: AVCs appear in the logs related to ovs-vsctl when run with OpenStack. This only occurs with OpenVSWitch 2.6.0 and later: https://github.com/openvswitch/ovs/blob/15931827ee9198edf84861c0e30f6d20cd04fd83/utilities/ovs-vsctl.c#L2504 The 2.5.1 code did not do this: https://github.com/openvswitch/ovs/blob/3443a502269510cf3de9d8b707e17392047626b9/utilities/ovs-vsctl.c Note however that the only functional thing that occurs is ovs-vsctl reads /proc/$PPID/cmdline in order to print largely what amounts to debugging information in to the logs. Version-Release number of selected component (if applicable): openstack-selinux 0.8.6 openvswitch 2.6.0+ How reproducible: 100%
The AVC looks like: type=AVC msg=audit(1494056788.547:1389): avc: denied { read } for pid=88096 comm="ovs-vsctl" name="cmdline" dev="proc" ino=250022 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=file Since this is debugging information primarily, I recommend dontaudit, since giving OVS blanket access to read all of neutron_t is not worth it: dontaudit openvswitch_t neutron_t:file read; However, this could mask other problems in the future (if for example OVS really _did_ need to read all of neutron_t files).
https://github.com/redhat-openstack/openstack-selinux/commit/b00b11d95f4a5c9a24271f4d9f6d6d2b0687ccf4
Needs open and getattr too. :/
https://github.com/redhat-openstack/openstack-selinux/commit/d47d5cd55bd758298e5589d54f9835eae6c13f99
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2722