+++ This bug was initially created as a clone of Bug #1498797 +++ Description of problem: openvswitch-2.8 fails to start with SELinux enforcing Version-Release number of selected component (if applicable): selinux-policy-3.13.1-283.5.fc27.noarch openvswitch-2.8.1-1.fc27.x86_64 Steps to Reproduce: # dnf install https://kojipkgs.fedoraproject.org//packages/openvswitch/2.8.1/1.fc27/x86_64/openvswitch-2.8.1-1.fc27.x86_64.rpm # systemctl start ovsdb-server Actual results: ovsdb-server fails to start when SELinux is enforcing, on the first denied AVC. Full list of AVCs w/ SELinux permissive is below [*] NB this is just service start, there might be more in actual operation! [*] type=AVC msg=audit(1507594742.843:184): avc: denied { create } for pid=1424 comm="runuser" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_audit_socket permissive=1 type=AVC msg=audit(1507594742.843:185): avc: denied { nlmsg_relay } for pid=1424 comm="runuser" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_audit_socket permissive=1 type=AVC msg=audit(1507594742.844:186): avc: denied { audit_write } for pid=1424 comm="runuser" capability=29 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=1 type=AVC msg=audit(1507594743.049:195): avc: denied { dac_override } for pid=1431 comm="ovs-vsctl" capability=1 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=1
https://github.com/fedora-selinux/selinux-policy-contrib/pull/32 Thanks Lon!
selinux-policy-3.13.1-283.13.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-b5e9ce60d2
selinux-policy-3.13.1-283.14.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-b5e9ce60d2
selinux-policy-3.13.1-283.14.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.