RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Description of problem:
Using an OpenStack setup with OpenDaylight on a baremetal setup.
OVS is not connected to the localhost port 6639 even though the manager is set.

Looking at /var/log/messages:
localhost ovsdb-server: ovs|02444|socket_util|ERR|6639:127.0.0.1: bind: Permission denied

After disabling SELinux binding is possible:

[root@controller-0 heat-admin]# ovs-vsctl show
dcb4ad06-1a55-4670-83a4-b4df62c599c6
    Manager "ptcp:6639:127.0.0.1"
        is_connected: true
    Manager "tcp:172.17.0.13:6640"
        is_connected: true
    Bridge br-int
...

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-166.el7_4.4.noarch
openstack-selinux-0.8.10-0.20170922165741.52b3fe8.4.el7ost.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Please attach the list (or file containing) SELinux denials which are triggered by the scenario:

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

Created attachment 1333763 [details]
ausearch output

Based on the documentation, ptcp 6639 port is recommended/default port. It should be allowed in the policy.

* https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html/opendaylight_and_red_hat_openstack_installation_and_configuration_guide/test_the_deployment

... but it isn't.

# seinfo --portcon=6639
	portcon tcp 1024-32767 system_u:object_r:unreserved_port_t:s0
	portcon udp 1024-32767 system_u:object_r:unreserved_port_t:s0
# sesearch -s openvswitch_t -t unreserved_port_t -c tcp_socket -A -C
Found 3 semantic av rules:
DT allow nsswitch_domain unreserved_port_t : tcp_socket name_connect ; [ nis_enabled ]
DT allow nsswitch_domain unreserved_port_t : tcp_socket name_bind ; [ nis_enabled ]
DT allow nsswitch_domain port_type : tcp_socket { recv_msg send_msg } ; [ nis_enabled ]

#

Possible workaround is to enable the nis_enabled boolean, but we should fix it in the policy, because the scenario is not related to NIS/YP at all.

Don't see the problem with:
openstack-selinux-0.8.11-0.20171013192233.ce13ba7.el7ost.noarch