Bug 1498921 - SELinux prevents ovsdb-server from binding on port 6639
Summary: SELinux prevents ovsdb-server from binding on port 6639
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux
Version: 12.0 (Pike)
Hardware: x86_64
OS: Linux
high
high
Target Milestone: ga
: 12.0 (Pike)
Assignee: Lon Hohberger
QA Contact: Udi Shkalim
URL:
Whiteboard:
: 1500668 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-10-05 14:41 UTC by Rhys Oxenham
Modified: 2018-02-05 19:15 UTC (History)
5 users (show)

Fixed In Version: openstack-selinux-0.8.10-0.20170922165741.52b3fe8.5.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-12-13 22:13:08 UTC
Target Upstream Version:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2017:3462 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 12.0 Enhancement Advisory 2018-02-16 01:43:25 UTC

Internal Links: 1498134

Description Rhys Oxenham 2017-10-05 14:41:28 UTC 
Description of problem:

ovsdb-server is relied upon for OpenStack Neutron control, regardless of whether you're using OpenDaylight or ML2/OVS/OVN, and uses port 6639/tcp by default. With the latest OSP12 puddle (2017-10-03) services wishing to bind on port 6639 are not permitted by the current SELinux policy, meaning that OVS cannot come up properly and therefore instances cannot start (amongst other issues).

Version-Release number of selected component (if applicable):
[root@odl-controller ~]# rpm -qa | egrep '(kernel-3|openvswitch|selinux)'
kernel-3.10.0-693.2.2.el7.x86_64
libselinux-python-2.5-11.el7.x86_64
python-openvswitch-2.7.2-4.git20170719.el7fdp.noarch
selinux-policy-3.13.1-166.el7_4.4.noarch
openvswitch-2.7.2-4.git20170719.el7fdp.x86_64
container-selinux-2.21-2.gitba103ac.el7.noarch
openvswitch-ovn-common-2.7.2-4.git20170719.el7fdp.x86_64
libselinux-2.5-11.el7.x86_64
libselinux-utils-2.5-11.el7.x86_64
ceph-selinux-10.2.7-32.el7cp.x86_64
selinux-policy-targeted-3.13.1-166.el7_4.4.noarch
openvswitch-ovn-central-2.7.2-4.git20170719.el7fdp.x86_64
openstack-selinux-0.8.10-0.20170922165741.52b3fe8.4.el7ost.noarch
libselinux-ruby-2.5-11.el7.x86_64
openstack-neutron-openvswitch-11.0.1-0.20170923193224.5b0191f.el7ost.noarch
openvswitch-ovn-host-2.7.2-4.git20170719.el7fdp.x86_64

(undercloud) [stack@undercloud ~]$ rpm -qa | egrep '(templates|director)'
rhosp-director-images-12.0-20170929.1.el7ost.noarch
rhosp-director-images-ipa-12.0-20170929.1.el7ost.noarch
openstack-tripleo-heat-templates-7.0.1-0.20170925173114.el7ost.1.noarch

How reproducible:
Every time, for me!

Steps to Reproduce:
1. Deploy latest OSP12 puddle (2017.10.03)
2. Observe that OVS cannot connect to the manager 127.0.0.1:6639
3. Watch /var/log/messages (see below)
4. Disable SELinux, and watch it work properly

Actual results:

Oct  5 13:51:35 odl-controller ovsdb-server: ovs|125840|socket_util|ERR|6639:127.0.0.1: bind: Permission denied
Oct  5 13:51:35 odl-controller kernel: type=1400 audit(1507211495.417:953): avc:  denied  { name_bind } for  pid=802 comm="ovsdb-server" src=6639 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket

Expected results:

OVS comes up properly with no issues due to SELinux

Additional info:

To get around this you can either run 'setenforce 0', or fix the policy properly with 'semanage port -a -t ovsdb_port_t -p tcp 6639' (noting that 6640 is already open with the policy, and is what the OpenDaylight server uses).
Comment 1 Rhys Oxenham 2017-10-05 14:48:59 UTC 
After the semanage command...

[root@odl-controller ~]# seinfo --portcon=6639
        portcon tcp 6639 system_u:object_r:ovsdb_port_t:s0
        portcon tcp 1024-32767 system_u:object_r:unreserved_port_t:s0
        portcon udp 1024-32767 system_u:object_r:unreserved_port_t:s0
[root@odl-controller ~]# seinfo --portcon=6640
        portcon tcp 6640 system_u:object_r:ovsdb_port_t:s0
        portcon tcp 1024-32767 system_u:object_r:unreserved_port_t:s0
        portcon udp 1024-32767 system_u:object_r:unreserved_port_t:s0
Comment 2 Lon Hohberger 2017-10-05 18:23:20 UTC 
Thanks!
Comment 3 Lon Hohberger 2017-10-05 18:31:53 UTC 
This used to work when we had nis_enabled boolean set; so this is fallout from that.

The solution is to change the port type in local_settings.sh or to allow ovsdb to bind to unreserved_port_t. I'd prefer the latter.
Comment 4 Lon Hohberger 2017-10-05 19:44:01 UTC 
https://github.com/redhat-openstack/openstack-selinux/commit/2cd97afab26feaf48ed2050b98648f6359c77cfb
Comment 6 Waldemar Znoinski 2017-10-11 12:09:42 UTC 
*** Bug 1500668 has been marked as a duplicate of this bug. ***
Comment 7 Numan Siddique 2017-10-12 14:55:30 UTC 
We see the similar error in this BZ - https://bugzilla.redhat.com/show_bug.cgi?id=1498921 when ovsdb-server tries to open 6641 and 6642 ports.

The context is - OVN is deployed and OVN has two ovsdb-servers - north db and south db listening on ports 6641 and 6642 respectively.
Comment 8 Numan Siddique 2017-10-12 14:56:28 UTC 
(In reply to Numan Siddique from comment #7)
> We see the similar error in this BZ -
> https://bugzilla.redhat.com/show_bug.cgi?id=1498921
Sorry. The correct link is https://bugzilla.redhat.com/show_bug.cgi?id=1499134


 when ovsdb-server tries
> to open 6641 and 6642 ports.
> 
> The context is - OVN is deployed and OVN has two ovsdb-servers - north db
> and south db listening on ports 6641 and 6642 respectively.
Comment 11 Lon Hohberger 2017-12-01 20:02:05 UTC 
https://github.com/redhat-openstack/openstack-selinux/blob/master/local_settings.sh.in#L73

(for 6641/6642)
Comment 15 errata-xmlrpc 2017-12-13 22:13:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3462
Note You need to log in before you can comment on or make changes to this bug.