Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1540702

Summary: Starting an OVS guest encountered "failed to bind socket to /tmp/vhost0: Permission denied"
Product: Red Hat Enterprise Linux 7 Reporter: Jean-Tsung Hsiao <jhsiao>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 7.4CC: aconole, atragler, ctrautma, fleitner, jhsiao, kzhang, lvrabec, mgrepl, mmalik, plautrba, rcain, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-191.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 12:49:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jean-Tsung Hsiao 2018-01-31 19:48:35 UTC 
Description of problem:Sta rting an OVS guest encountered "failed to bind socket to /tmp/vhost0: Permission denied"

type=AVC msg=audit(1517427472.598:17306): avc:  denied  { create } for  pid=135596 comm="qemu-kvm" name="vhost0" scontext=system_u:system_r:svirt_t:s0:c495,c759 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file

This happened when Selinux is set to Enforcing. A workaround is set Selinux to Permissive.

Version-Release number of selected component (if applicable):
root@netqe10 vxlan-tunnel]# uname -a
Linux netqe10.knqe.lab.eng.bos.redhat.com 3.10.0-693.11.6.el7.x86_64 #1 SMP Thu Dec 28 14:23:39 EST 2017 x86_64 x86_64 x86_64 GNU/Linux

[root@netqe10 vxlan-tunnel]# rpm -q openvswitch
openvswitch-2.7.3-3.git20180112.el7fdp.x86_64

[root@netqe10 vxlan-tunnel]# rpm -qa | grep -i selinux
libselinux-2.5-11.el7.x86_64
libselinux-python-2.5-11.el7.x86_64
selinux-policy-targeted-3.13.1-166.el7_4.7.noarch
openstack-selinux-0.8.13-1.el7ost.noarch
selinux-policy-3.13.1-166.el7_4.7.noarch
libselinux-utils-2.5-11.el7.x86_64
container-selinux-2.41-1.git126c1c0.el7.noarch

How reproducible:Reproducible


Steps to Reproduce:
1. Config a OVS-dpdk bridge with dpdkvhostuserclient, and an NFV guest with vhostuser in server mode.
2. Start guest while Selinux=Enforcing.
3.

Actual results: Starting guest got this issue.


Expected results: Starting guest should be successful with Selinux=Enforcing.


Additional info:
Comment 2 Jean-Tsung Hsiao 2018-01-31 22:41:47 UTC 
Got the same issue With OVS 2.9.0-0.3.20180124git26cdc33.el7fdp.x86_64 under 3.10.0-693.11.6.
Comment 3 Milos Malik 2018-02-01 08:24:27 UTC 
# rpm -qa selinux\*
selinux-policy-targeted-3.13.1-186.el7.noarch
selinux-policy-3.13.1-186.el7.noarch
# sesearch -s svirt_t -t tmp_t -c sock_file -T

# sesearch -s svirt_t -t tmp_t -c sock_file -p create -A -C -D

#
Comment 5 Jean-Tsung Hsiao 2018-02-01 16:00:08 UTC 
Got the same issue with openvswitch-2.9.0-0.1.20180108git8e3a28c.el7fdp under Rhel7.5 kernel-837.
Comment 12 Lukas Vrabec 2018-02-07 09:09:15 UTC 
*** Bug 1542673 has been marked as a duplicate of this bug. ***
Comment 15 Milos Malik 2018-02-08 11:14:36 UTC 
QEMU is able to create and manipulate the socket,

# sesearch -s svirt_t -t tmp_t -c sock_file -T
Found 1 semantic te rules:
   type_transition svirt_t tmp_t : sock_file svirt_tmp_t; 

# sesearch -s svirt_t -t svirt_tmp_t -c sock_file -A -C -D
Found 1 semantic av rules:
   allow virt_domain svirt_tmp_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; 

#

but Open vSwitch cannot access the socket as mentioned in comment#8:

# sesearch -s openvswitch_t -t svirt_tmp_t -A -C -D
Found 2 semantic av rules:
   allow openvswitch_t file_type : filesystem getattr ; 
   allow domain tmpfile : file { ioctl read getattr lock append open } ; 

# rpm -qa selinux\*
selinux-policy-targeted-3.13.1-189.el7.noarch
selinux-policy-devel-3.13.1-189.el7.noarch
selinux-policy-3.13.1-189.el7.noarch
#
Comment 16 Aaron Conole 2018-02-08 14:16:15 UTC 
Milos,

The AVC:

type=AVC msg=audit(1517427472.598:17306): avc:  denied  { create } for  pid=135596 comm="qemu-kvm" name="vhost0" scontext=system_u:system_r:svirt_t:s0:c495,c759 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file

This reads the source context = svirt_t

Did I misunderstand something?
Comment 17 Milos Malik 2018-02-08 14:36:07 UTC 
qemu-kvm processes are labeled svirt_t, but Open vSwitch processes (ovsdb-server and ovs-vswitchd) are labeled openvswitch_t.
Comment 22 Milos Malik 2018-02-15 14:33:29 UTC 
Can you re-test the scenario with the latest selinux-policy (3.13.1-189.el7) installed? Does it work?

Thank you
Comment 23 Jean-Tsung Hsiao 2018-02-16 03:50:49 UTC 
(In reply to Milos Malik from comment #22)
> Can you re-test the scenario with the latest selinux-policy (3.13.1-189.el7)
> installed? Does it work?
> 
> Thank you

No, it won't work.

Got lots of AVC's like these until "setenforce 0" :

type=AVC msg=audit(1518752799.102:978): avc:  denied  { write } for  pid=14368 comm="ovs-vswitchd" name="vhost0" dev="dm-0" ino=94 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:svirt_tmp_t:s0 tclass=sock_file
type=AVC msg=audit(1518752800.102:979): avc:  denied  { write } for  pid=14368 comm="ovs-vswitchd" name="vhost0" dev="dm-0" ino=94 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:svirt_tmp_t:s0 tclass=sock_file
type=AVC msg=audit(1518752801.102:980): avc:  denied  { write } for  pid=14368 comm="ovs-vswitchd" name="vhost0" dev="dm-0" ino=94 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:svirt_tmp_t:s0 tclass=sock_file
type=AVC msg=audit(1518752802.102:981): avc:  denied  { write } for  pid=14368 comm="ovs-vswitchd" name="vhost0" dev="dm-0" ino=94 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:svirt_tmp_t:s0 tclass=sock_file
type=AVC msg=audit(1518752803.102:982): avc:  denied  { write } for  pid=14368 comm="ovs-vswitchd" name="vhost0" dev="dm-0" ino=94 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:svirt_tmp_t:s0 tclass=sock_file
type=AVC msg=audit(1518752804.102:983): avc:  denied  { write } for  pid=14368 comm="ovs-vswitchd" name="vhost0" dev="dm-0" ino=94 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:svirt_tmp_t:s0 tclass=sock_file

Related packages:

[root@netqe19 vhostuserclient-test]# rpm -qa | grep selinux
libselinux-2.5-12.el7.x86_64
selinux-policy-targeted-3.13.1-189.el7.noarch
libselinux-python-2.5-12.el7.x86_64
libselinux-utils-2.5-12.el7.x86_64
selinux-policy-3.13.1-189.el7.noarch
[root@netqe19 vhostuserclient-test]# rpm -q openvswitch
openvswitch-2.9.0-0.4.20180124git26cdc33.el7fdp.x86_64
Comment 24 Jean-Tsung Hsiao 2018-02-16 21:29:11 UTC 
Hi Lukas,

Sorry, 190 does not fix the issue. See the following AVC's coming out until "setenforce 0".
Please see attached below.
Thanks!
Jean
==================================================
[root@netqe19 vhostuserclient-test]# rpm -qa | grep selinux
libselinux-2.5-12.el7.x86_64
libselinux-python-2.5-12.el7.x86_64
selinux-policy-targeted-3.13.1-190.el7.noarch
libselinux-utils-2.5-12.el7.x86_64
selinux-policy-3.13.1-190.el7.noarch

type=AVC msg=audit(1518816172.126:1318): avc:  denied  { connectto } for  pid=32717 comm="ovs-vswitchd" path="/tmp/vhost0" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:svirt_t:s0:c106,c530 tclass=unix_stream_socket
type=AVC msg=audit(1518816173.126:1319): avc:  denied  { connectto } for  pid=32717 comm="ovs-vswitchd" path="/tmp/vhost0" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:svirt_t:s0:c106,c530 tclass=unix_stream_socket
type=AVC msg=audit(1518816174.126:1320): avc:  denied  { connectto } for  pid=32717 comm="ovs-vswitchd" path="/tmp/vhost0" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:svirt_t:s0:c106,c530 tclass=unix_stream_socket
type=AVC msg=audit(1518816175.126:1321): avc:  denied  { connectto } for  pid=32717 comm="ovs-vswitchd" path="/tmp/vhost0" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:svirt_t:s0:c106,c530 tclass=unix_stream_socket
type=AVC msg=audit(1518816176.127:1322): avc:  denied  { connectto } for  pid=32717 comm="ovs-vswitchd" path="/tmp/vhost0" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:svirt_t:s0:c106,c530 tclass=unix_stream_socket
type=AVC msg=audit(1518816177.127:1323): avc:  denied  { connectto } for  pid=32717 comm="ovs-vswitchd" path="/tmp/vhost0" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:svirt_t:s0:c106,c530 tclass=unix_stream_socket
Comment 25 Jean-Tsung Hsiao 2018-02-16 21:41:43 UTC 
(In reply to Jean-Tsung Hsiao from comment #24)
> Hi Lukas,
> 
> Sorry, 190 does not fix the issue. See the following AVC's coming out until
> "setenforce 0".
> Please see attached below.
> Thanks!
> Jean
 

Please note that I have changed /etc/libvirt/qemu.conf to fix the other bug:

# The group for QEMU processes run by the system instance. It can be
# specified in a similar way to user.
#group = "root"
group = "hugetlbfs"

[root@netqe19 vhostuserclient-test]# !ll
ll /tmp/vhost*
srwxrwxr-x. 1 qemu hugetlbfs 0 Feb 16 16:22 /tmp/vhost0
srwxrwxr-x. 1 qemu hugetlbfs 0 Feb 16 16:23 /tmp/vhost1
Comment 32 errata-xmlrpc 2018-04-10 12:49:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763