Bug 1529475 - incompatible opensm and selinux
Summary: incompatible opensm and selinux
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 27
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-12-28 09:33 UTC by M.Cerveny
Modified: 2018-01-02 16:29 UTC (History)
11 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2018-01-02 16:29:52 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1517744 0 unspecified CLOSED [RHEL-7.5] BUG: SELinux policy does not allow the opensm_t domain to control IB networks 2021-02-22 00:41:40 UTC

Description M.Cerveny 2017-12-28 09:33:42 UTC 
Description of problem:
opensm is unstartable during startup scripts due to selinux policy.
See RH bug 1517744

Version-Release number of selected component (if applicable):
# rpm -qa | grep  opensm
opensm-3.3.20-6.fc27.x86_64
opensm-libs-3.3.20-6.fc27.x86_64
#  rpm -qa | grep selinux-policy
selinux-policy-targeted-3.13.1-283.17.fc27.noarch
selinux-policy-3.13.1-283.17.fc27.noarch
# getenforce 
Enforcing

Actual results:
Dec 28 09:53:35 xen2 opensm-launch[2615]: OpenSM 3.3.20
Dec 28 09:53:35 xen2 opensm-launch[2615]: Entering DISCOVERING state
Dec 28 09:53:35 xen2 OpenSM[2639]: /var/log/opensm.log log file opened
Dec 28 09:53:35 xen2 OpenSM[2639]: OpenSM 3.3.20
Dec 28 09:53:35 xen2 OpenSM[2639]: Entering DISCOVERING state
Dec 28 09:53:35 xen2 audit[2639]: AVC avc:  denied  { manage_subnet } for  pid=2639 comm="opensm" device=mlx4_0 port_num=2 scontext=system_u:system_r:opensm_t:s0 tcontext=s
Dec 28 09:53:35 xen2 opensm-launch[2615]: Error from osm_opensm_bind (0x2A)
Dec 28 09:53:35 xen2 opensm-launch[2615]: Perhaps another instance of OpenSM is already running
Dec 28 09:53:35 xen2 opensm-launch[2615]: Exiting SM
Dec 28 09:53:35 xen2 OpenSM[2639]: Exiting SM
Comment 1 Honggang LI 2017-12-28 12:25:02 UTC 
As it is a selinux issue, change the component to selinux-policy.
Comment 2 Lukas Vrabec 2018-01-02 14:21:08 UTC 
# ps -efZ | grep opensm
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2739 1202  0 15:17 pts/0 00:00:00 grep --color=auto opensm

# systemctl start opensm

# ps -efZ | grep opensm
system_u:system_r:opensm_t:s0   root      2743     1  0 15:17 ?        00:00:00 /bin/bash /usr/libexec/opensm-launch
system_u:system_r:opensm_t:s0   root      2748  2743  0 15:17 ?        00:00:00 sleep 30
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2750 1202  0 15:17 pts/0 00:00:00 grep --color=auto opensm

# getenforce 
Enforcing

# ausearch -m AVC -ts today
<no matches>

# rpm -q selinux-policy 
selinux-policy-3.13.1-283.19.fc27.noarch

It looks like it's fixed in -19.fc27 selinux-policy version. Could you please update:

# dnf update selinux-policy --enablerepo=updates-testing 

and then start opensm? 

Thanks,
Lukas.
Comment 3 M.Cerveny 2018-01-02 15:54:43 UTC 
Yes, seems to be corrected in updates-testing.

# getenforce
Enforcing

# rpm -q selinux-policy 
selinux-policy-3.13.1-283.19.fc27.noarch

# ps -efZ | grep opensm
system_u:system_r:opensm_t:s0   root       804     1  0 16:47 ?        00:00:00 /bin/bash /usr/libexec/opensm-launch
system_u:system_r:opensm_t:s0   root       806   804  0 16:47 ?        00:00:00 /usr/sbin/opensm -g 0x0002c903005a6e37
system_u:system_r:opensm_t:s0   root       889     1  0 16:47 ?        00:00:00 /bin/bash /usr/libexec/opensm-launch
system_u:system_r:opensm_t:s0   root       891   889  0 16:47 ?        00:00:00 /usr/sbin/opensm -g 0x0002c903005a6e38
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1645 1625  0 16:48 pts/0 00:00:00 grep --color=auto opensm

Thanks, Martin
Comment 4 Lukas Vrabec 2018-01-02 16:29:52 UTC 
Thanks for testing. 

Closing.
Note You need to log in before you can comment on or make changes to this bug.