RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/
Bug 1498797 - ovsdb-server fails to start with OVS-2.8.1 with AVC denial
Summary: ovsdb-server fails to start with OVS-2.8.1 with AVC denial
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: RDO
Classification: Community
Component: openstack-selinux
Version: trunk
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: trunk
Assignee: Lon Hohberger
QA Contact: Ofer Blaut
URL:
Whiteboard:
Depends On:
Blocks: 1500122
TreeView+ depends on / blocked
 
Reported: 2017-10-05 09:37 UTC by Alfredo Moralejo
Modified: 2018-03-15 21:00 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
: 1500122 (view as bug list)
Environment:
Last Closed: 2018-03-15 21:00:13 UTC
Embargoed:

Attachments (Terms of Use)
audit.log from permissive stop/start (21.14 KB, text/plain)
2017-10-10 15:03 UTC, Lon Hohberger 		no flags Details
View All

Description Alfredo Moralejo 2017-10-05 09:37:41 UTC 
Description of problem:

When trying to start ovsdb-server using package in http://cbs.centos.org/koji/buildinfo?buildID=20048 it fails to start with following error


Oct 05 09:11:38 generic-packstack-001-1539 systemd[1]: Starting Open vSwitch Database Unit...
Oct 05 09:11:38 generic-packstack-001-1539 runuser[4880]: PAM audit_open() failed: Permission denied
Oct 05 09:11:38 generic-packstack-001-1539 ovs-ctl[4848]: runuser: System error
Oct 05 09:11:38 generic-packstack-001-1539 runuser[4882]: PAM audit_open() failed: Permission denied
Oct 05 09:11:38 generic-packstack-001-1539 ovs-ctl[4848]: runuser: System error
Oct 05 09:11:38 generic-packstack-001-1539 runuser[4884]: PAM audit_open() failed: Permission denied
Oct 05 09:11:38 generic-packstack-001-1539 ovs-ctl[4848]: runuser: System error
Oct 05 09:11:38 generic-packstack-001-1539 runuser[4888]: PAM audit_open() failed: Permission denied
Oct 05 09:11:38 generic-packstack-001-1539 ovs-ctl[4848]: runuser: System error
Oct 05 09:11:38 generic-packstack-001-1539 ovs-ctl[4848]: Backing up database to /etc/openvswitch/conf.db.backup- cp: cannot create regular file '/etc/openvswitch/conf.db.backup-': Permissio
Oct 05 09:11:38 generic-packstack-001-1539 ovs-ctl[4848]: [FAILED]
Oct 05 09:11:38 generic-packstack-001-1539 systemd[1]: ovsdb-server.service: control process exited, code=exited status=1
Oct 05 09:11:38 generic-packstack-001-1539 systemd[1]: Failed to start Open vSwitch Database Unit.
Oct 05 09:11:38 generic-packstack-001-1539 systemd[1]: Unit ovsdb-server.service entered failed state.
Oct 05 09:11:38 generic-packstack-001-1539 systemd[1]: ovsdb-server.service failed.
Oct 05 09:11:38 generic-packstack-001-1539 systemd[1]: ovsdb-server.service holdoff time over, scheduling restart.
Oct 05 09:11:38 generic-packstack-001-1539 systemd[1]: start request repeated too quickly for ovsdb-server.service
Oct 05 09:11:38 generic-packstack-001-1539 systemd[1]: Failed to start Open vSwitch Database Unit.
Oct 05 09:11:38 generic-packstack-001-1539 systemd[1]: Unit ovsdb-server.service entered failed state.
Oct 05 09:11:38 generic-packstack-001-1539 systemd[1]: ovsdb-server.service failed.


Following AVC denials appear in audit.log:

80. 10/05/2017 09:11:36 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21315
81. 10/05/2017 09:11:36 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21314
82. 10/05/2017 09:11:36 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21316
83. 10/05/2017 09:11:37 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21317
84. 10/05/2017 09:11:37 cp system_u:system_r:openvswitch_t:s0 2 capability dac_override system_u:system_r:openvswitch_t:s0 denied 21318
85. 10/05/2017 09:11:37 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21334
86. 10/05/2017 09:11:37 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21335
87. 10/05/2017 09:11:37 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21336
88. 10/05/2017 09:11:37 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21337
89. 10/05/2017 09:11:37 cp system_u:system_r:openvswitch_t:s0 2 capability dac_override system_u:system_r:openvswitch_t:s0 denied 21338
90. 10/05/2017 09:11:37 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21344
91. 10/05/2017 09:11:37 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21345
92. 10/05/2017 09:11:37 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21346
93. 10/05/2017 09:11:37 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21347
94. 10/05/2017 09:11:37 cp system_u:system_r:openvswitch_t:s0 2 capability dac_override system_u:system_r:openvswitch_t:s0 denied 21348
95. 10/05/2017 09:11:37 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21366
96. 10/05/2017 09:11:37 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21367
97. 10/05/2017 09:11:37 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21368
98. 10/05/2017 09:11:37 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21369
99. 10/05/2017 09:11:37 cp system_u:system_r:openvswitch_t:s0 2 capability dac_override system_u:system_r:openvswitch_t:s0 denied 21370
100. 10/05/2017 09:11:38 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21374
101. 10/05/2017 09:11:38 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21375
102. 10/05/2017 09:11:38 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21376
103. 10/05/2017 09:11:38 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21377
104. 10/05/2017 09:11:38 cp system_u:system_r:openvswitch_t:s0 2 capability dac_override system_u:system_r:openvswitch_t:s0 denied 21378

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Take ovs-2.8.1 build from CBS:

cd ~
wget http://cbs.centos.org/kojifiles/packages/openvswitch/2.8.1/1.1fc28.el7/x86_64/openvswitch-2.8.1-1.1fc28.el7.x86_64.rpm

2. Install openvswitch

yum -y localinstall openvswitch-2.8.1-1.1fc28.el7.x86_64.rpm


3. Start ovsdb-server

systemctl start ovsdb-server


Actual results:

ovsdb-server fails to start

Expected results:

ovsdb-server should start fine

Additional info:
Comment 1 Alan Pevec 2017-10-10 00:24:58 UTC 
This can be reproduced on Fedora 27 with:
  selinux-policy-3.13.1-283.5.fc27.noarch
  openvswitch-2.8.1-1.fc27.x86_64
List of AVCs w/ SELinux permissive is below [*]
NB this is just service start, there might be more in actual operation!

This needs to be pushed first to https://github.com/fedora-selinux/selinux-policy
then backported to openstack-selinux.

[*]
type=AVC msg=audit(1507594742.843:184): avc:  denied  { create } for  pid=1424 comm="runuser" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1507594742.843:185): avc:  denied  { nlmsg_relay } for  pid=1424 comm="runuser" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1507594742.844:186): avc:  denied  { audit_write } for  pid=1424 comm="runuser" capability=29 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=1

type=AVC msg=audit(1507594743.049:195): avc:  denied  { dac_override } for pid=1431 comm="ovs-vsctl" capability=1 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=1
Comment 2 Lon Hohberger 2017-10-10 15:03:04 UTC 
Created attachment 1336797 [details]
audit.log from permissive stop/start
Comment 3 Lon Hohberger 2017-10-10 15:05:07 UTC 
#============= openvswitch_t ==============
allow openvswitch_t self:capability audit_write;
allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay };

These are simple enough and consistent with the workings of openvswitch
Comment 4 Lon Hohberger 2017-10-10 15:09:09 UTC 
https://github.com/redhat-openstack/openstack-selinux/commit/c677012699d2bad1846ab2a927b2af89ed976dcf
Comment 5 Alfredo Moralejo 2017-10-13 08:27:01 UTC 
ovsdb-server is still failing to start after https://github.com/redhat-openstack/openstack-selinux/commit/c677012699d2bad1846ab2a927b2af89ed976dcf

I could start it after adding following policies:

#============= openvswitch_t ==============
allow openvswitch_t self:capability dac_override;
allow openvswitch_t self:netlink_audit_socket { read write };

Note that some of the AVC issues only appear after i disabled dontaudit (semodule -DB)
Comment 6 Alfredo Moralejo 2017-10-13 08:37:04 UTC 
The messages i found in audit.log after disabling dontaudit:


type=AVC msg=audit(1507882760.767:1386): avc:  denied  { write } for  pid=6246 comm="runuser" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_audit_socket


type=AVC msg=audit(1507882834.017:1434): avc:  denied  { read } for  pid=6495 comm="runuser" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_audit_socket

type=AVC msg=audit(1507882927.297:1507): avc:  denied  { dac_override } for  pid=6744 comm="ovs-vsctl" capability=1  scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability
Comment 7 Lon Hohberger 2017-10-13 15:18:23 UTC 
Thanks!
Comment 8 Lon Hohberger 2017-10-13 15:25:45 UTC 
https://github.com/redhat-openstack/openstack-selinux/commit/2775ec70be1e3d915aa9a06bf8f18c89e054ec5f
Comment 9 Alfredo Moralejo 2017-10-13 16:26:05 UTC 
It's working fine in my test environment after https://github.com/redhat-openstack/openstack-selinux/commit/9d30e36cea34027f6e4cda7fb190c2c989223f18
Note You need to log in before you can comment on or make changes to this bug.