1503820 – openvswitch fails to start: PAM audit_open() failed: Permission denied

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1503820 - openvswitch fails to start: PAM audit_open() failed: Permission denied

Summary: openvswitch fails to start: PAM audit_open() failed: Permission denied

Keywords:
Status:	CLOSED DUPLICATE of bug 1482682
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	openvswitch
Sub Component:
Version:	7.6-Alt
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Aaron Conole
QA Contact:	Junhan
Docs Contact:
URL:
Whiteboard:
Depends On:	1482682
Blocks:	1503566
TreeView+	depends on / blocked

Reported:	2017-10-18 20:33 UTC by Marcin Mirecki
Modified:	2021-08-30 13:24 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-11-27 22:18:21 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	3331561	0	None	None	None	2018-01-24 17:06:58 UTC

Description Marcin Mirecki 2017-10-18 20:33:53 UTC

openvswitch fails to start when selinux is enabled.
It fails to create the ovs db saying: PAM audit_open() failed: Permission denied

It works fine when selinux is disabled.

The problem occurs in build:
openvswitch-2.8.0-1.el7fdb
and the master branch (as of 2017-10-16).

Comment 2 Marcin Mirecki 2017-10-19 07:44:40 UTC

Additional info:

#ls -lah /etc/openvswitch
drwxr-xr-x.   2 root root 4.0K Oct 17 15:07 .
drwxr-xr-x. 100 root root 4.0K Oct 17 14:21 ..
-rw-r--r--.   1 root root  15K Oct 17 15:07 conf.db.backup-
-rw-------.   1 root root    0 Oct 17 14:56 .conf.db.~lock~
-rw-r--r--.   1 root root  163 Oct 17 14:08 default.conf
-rw-r--r--.   1 root root   37 Oct 17 14:56 system-id.conf

# ovs-vsctl --version
ovs-vsctl (Open vSwitch) 2.8.90
DB Schema 7.15.1

Build from master at: commit 7468ec78853e4c82865776c6c003a64b7b8b2a5e
Build from source and installed on a fresh vm from the built rpms.
but also occurs when installed from brew build: openvswitch-2.8.0-1.el7fdb

journalctl says:

Oct 19 09:34:55 f25_56 audit[1450]: AVC avc:  denied  { create } for  pid=1450 comm="runuser" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_audit_socket p
Oct 19 09:34:55 f25_56 runuser[1450]: PAM audit_open() failed: Permission denied
Oct 19 09:34:55 f25_56 ovs-ctl[1419]: runuser: System error
Oct 19 09:34:55 f25_56 ovs-ctl[1419]: /etc/openvswitch/conf.db does not exist ... (warning).
Oct 19 09:34:55 f25_56 audit[1452]: AVC avc:  denied  { create } for  pid=1452 comm="runuser" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_audit_socket p
Oct 19 09:34:55 f25_56 runuser[1452]: PAM audit_open() failed: Permission denied
Oct 19 09:34:55 f25_56 ovs-ctl[1419]: Creating empty database /etc/openvswitch/conf.db runuser: System error
Oct 19 09:34:55 f25_56 ovs-ctl[1419]: [FAILED]
Oct 19 09:34:55 f25_56 systemd[1]: ovsdb-server.service: Control process exited, code=exited status=1
Oct 19 09:34:55 f25_56 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ovsdb-server comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? t
Oct 19 09:34:55 f25_56 systemd[1]: Failed to start Open vSwitch Database Unit.
-- Subject: Unit ovsdb-server.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit ovsdb-server.service has failed.

Comment 3 Aaron Conole 2017-10-19 13:27:50 UTC

If you're building from master, you should also have an openvswitch-selinux-policy rpm.  Please install this - that should eliminate the selinux issues.  There is currently open bz 1482682 to track those changes.

I'm also curious why /etc/openvswitch and all it's parts are owned by root - was there additional configurations that you had?  What are the contents of /etc/sysconfig/openvswitch - my guess is you may have some kinds of permissions problems popping up with various install / remove / upgrade paths.

Comment 4 Aaron Conole 2017-10-20 19:30:28 UTC

Forgot to set the needinfo flag.  See comment #3.

Comment 6 Marcin Mirecki 2017-11-14 20:53:46 UTC

I've build master and installed openvswitch-selinux-policy-2.8.90-1.fc25.noarch.rpm
This indeed fixes the problem!

The content of the /etc/openvswitch/ and /etc/sysconfig/openvswitch dirs listed below. Keep in mind this is my dev environment, so it has quite a history of all kinds of tests and tweaks (although the problem also occured on our test envs, which are recreated from scratch every time).

# ls -al /etc/openvswitch/
total 8276
drwxr-xr-x.   2 root root    4096 Nov 14 21:46 .
drwxr-xr-x. 191 root root   12288 Nov 14 21:24 ..
-rw-------.   1 root root       0 Sep 29  2016 .conf.db.tmp.~lock~
-rw-------.   1 root root       0 Nov 14 21:46 .conf.db.~lock~
-rw-------.   1 root root       0 Aug 24  2016 .ovnnb.db.~lock~
-rw-------.   1 root root       0 Aug 17 09:14 .ovnnb_db.db.tmp.~lock~
-rw-------.   1 root root       0 Jan 19  2017 .ovnnb_db.db.~lock~
-rw-------.   1 root root       0 Aug 24  2016 .ovnsb.db.~lock~
-rw-------.   1 root root       0 Aug 17 09:14 .ovnsb_db.db.tmp.~lock~
-rw-------.   1 root root       0 Jan 19  2017 .ovnsb_db.db.~lock~
-rw-r--r--.   1 root root  218948 Nov  8 14:09 conf.db
-rw-r--r--.   1 root root   14185 Oct  3  2016 conf.db.backup7.13.0-2202834738
-rw-r--r--.   1 root root   16868 Aug  8 18:10 conf.db.backup7.14.0-3374030633
-rw-r--r--.   1 root root 7001822 Oct  5 13:06 conf.db.backup7.14.0-3974332717
-rw-r--r--.   1 root root     163 Nov 14 21:25 default.conf
-rw-r--r--.   1 root root   79997 Sep 29  2016 ovnnb.db
-rw-r--r--.   1 root root  150696 Oct  3 14:05 ovnnb_db.db
-rw-r--r--.   1 root root   18242 Aug 17 09:14 ovnnb_db.db.backup5.4.1-3485560318
-rw-r--r--.   1 root root  186385 Sep 29  2016 ovnsb.db
-rw-r--r--.   1 root root  504863 Oct  3 14:05 ovnsb_db.db
-rw-r--r--.   1 root root  220447 Aug 17 09:14 ovnsb_db.db.backup1.9.0-2240045372
-rw-r--r--.   1 root root      37 Sep 20  2016 system-id.conf

# ls -al /etc/sysconfig/openvswitch
-rw-r--r--. 1 root root 755 Nov 14 21:25 /etc/sysconfig/openvswitch

Comment 7 Marcin Mirecki 2017-11-17 08:53:18 UTC

I just noticed that none of the latest brew build include the openvswitch-selinux-policy package.
The latest one as of today is:
https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=623960

When could we expect a build that includes this:
https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=623960

Comment 8 Aaron Conole 2017-11-21 16:02:37 UTC

We don't ship our own selinux packages.  RHEL uses selinux-policy package.  That is being updated (see bz #1482682), but I'm not sure when it will land.

Is that all that is the problem?  If so, we can probably close this as duplicate of that?

Note You need to log in before you can comment on or make changes to this bug.