Red Hat Bugzilla – Bug 1540702
Starting an OVS guest encountered "failed to bind socket to /tmp/vhost0: Permission denied"
Last modified: 2018-04-10 08:50:32 EDT
Description of problem:Sta rting an OVS guest encountered "failed to bind socket to /tmp/vhost0: Permission denied" type=AVC msg=audit(1517427472.598:17306): avc: denied { create } for pid=135596 comm="qemu-kvm" name="vhost0" scontext=system_u:system_r:svirt_t:s0:c495,c759 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file This happened when Selinux is set to Enforcing. A workaround is set Selinux to Permissive. Version-Release number of selected component (if applicable): root@netqe10 vxlan-tunnel]# uname -a Linux netqe10.knqe.lab.eng.bos.redhat.com 3.10.0-693.11.6.el7.x86_64 #1 SMP Thu Dec 28 14:23:39 EST 2017 x86_64 x86_64 x86_64 GNU/Linux [root@netqe10 vxlan-tunnel]# rpm -q openvswitch openvswitch-2.7.3-3.git20180112.el7fdp.x86_64 [root@netqe10 vxlan-tunnel]# rpm -qa | grep -i selinux libselinux-2.5-11.el7.x86_64 libselinux-python-2.5-11.el7.x86_64 selinux-policy-targeted-3.13.1-166.el7_4.7.noarch openstack-selinux-0.8.13-1.el7ost.noarch selinux-policy-3.13.1-166.el7_4.7.noarch libselinux-utils-2.5-11.el7.x86_64 container-selinux-2.41-1.git126c1c0.el7.noarch How reproducible:Reproducible Steps to Reproduce: 1. Config a OVS-dpdk bridge with dpdkvhostuserclient, and an NFV guest with vhostuser in server mode. 2. Start guest while Selinux=Enforcing. 3. Actual results: Starting guest got this issue. Expected results: Starting guest should be successful with Selinux=Enforcing. Additional info:
Got the same issue With OVS 2.9.0-0.3.20180124git26cdc33.el7fdp.x86_64 under 3.10.0-693.11.6.
# rpm -qa selinux\* selinux-policy-targeted-3.13.1-186.el7.noarch selinux-policy-3.13.1-186.el7.noarch # sesearch -s svirt_t -t tmp_t -c sock_file -T # sesearch -s svirt_t -t tmp_t -c sock_file -p create -A -C -D #
Got the same issue with openvswitch-2.9.0-0.1.20180108git8e3a28c.el7fdp under Rhel7.5 kernel-837.
*** Bug 1542673 has been marked as a duplicate of this bug. ***
QEMU is able to create and manipulate the socket, # sesearch -s svirt_t -t tmp_t -c sock_file -T Found 1 semantic te rules: type_transition svirt_t tmp_t : sock_file svirt_tmp_t; # sesearch -s svirt_t -t svirt_tmp_t -c sock_file -A -C -D Found 1 semantic av rules: allow virt_domain svirt_tmp_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; # but Open vSwitch cannot access the socket as mentioned in comment#8: # sesearch -s openvswitch_t -t svirt_tmp_t -A -C -D Found 2 semantic av rules: allow openvswitch_t file_type : filesystem getattr ; allow domain tmpfile : file { ioctl read getattr lock append open } ; # rpm -qa selinux\* selinux-policy-targeted-3.13.1-189.el7.noarch selinux-policy-devel-3.13.1-189.el7.noarch selinux-policy-3.13.1-189.el7.noarch #
Milos, The AVC: type=AVC msg=audit(1517427472.598:17306): avc: denied { create } for pid=135596 comm="qemu-kvm" name="vhost0" scontext=system_u:system_r:svirt_t:s0:c495,c759 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file This reads the source context = svirt_t Did I misunderstand something?
qemu-kvm processes are labeled svirt_t, but Open vSwitch processes (ovsdb-server and ovs-vswitchd) are labeled openvswitch_t.
Can you re-test the scenario with the latest selinux-policy (3.13.1-189.el7) installed? Does it work? Thank you
(In reply to Milos Malik from comment #22) > Can you re-test the scenario with the latest selinux-policy (3.13.1-189.el7) > installed? Does it work? > > Thank you No, it won't work. Got lots of AVC's like these until "setenforce 0" : type=AVC msg=audit(1518752799.102:978): avc: denied { write } for pid=14368 comm="ovs-vswitchd" name="vhost0" dev="dm-0" ino=94 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:svirt_tmp_t:s0 tclass=sock_file type=AVC msg=audit(1518752800.102:979): avc: denied { write } for pid=14368 comm="ovs-vswitchd" name="vhost0" dev="dm-0" ino=94 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:svirt_tmp_t:s0 tclass=sock_file type=AVC msg=audit(1518752801.102:980): avc: denied { write } for pid=14368 comm="ovs-vswitchd" name="vhost0" dev="dm-0" ino=94 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:svirt_tmp_t:s0 tclass=sock_file type=AVC msg=audit(1518752802.102:981): avc: denied { write } for pid=14368 comm="ovs-vswitchd" name="vhost0" dev="dm-0" ino=94 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:svirt_tmp_t:s0 tclass=sock_file type=AVC msg=audit(1518752803.102:982): avc: denied { write } for pid=14368 comm="ovs-vswitchd" name="vhost0" dev="dm-0" ino=94 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:svirt_tmp_t:s0 tclass=sock_file type=AVC msg=audit(1518752804.102:983): avc: denied { write } for pid=14368 comm="ovs-vswitchd" name="vhost0" dev="dm-0" ino=94 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:svirt_tmp_t:s0 tclass=sock_file Related packages: [root@netqe19 vhostuserclient-test]# rpm -qa | grep selinux libselinux-2.5-12.el7.x86_64 selinux-policy-targeted-3.13.1-189.el7.noarch libselinux-python-2.5-12.el7.x86_64 libselinux-utils-2.5-12.el7.x86_64 selinux-policy-3.13.1-189.el7.noarch [root@netqe19 vhostuserclient-test]# rpm -q openvswitch openvswitch-2.9.0-0.4.20180124git26cdc33.el7fdp.x86_64
Hi Lukas, Sorry, 190 does not fix the issue. See the following AVC's coming out until "setenforce 0". Please see attached below. Thanks! Jean ================================================== [root@netqe19 vhostuserclient-test]# rpm -qa | grep selinux libselinux-2.5-12.el7.x86_64 libselinux-python-2.5-12.el7.x86_64 selinux-policy-targeted-3.13.1-190.el7.noarch libselinux-utils-2.5-12.el7.x86_64 selinux-policy-3.13.1-190.el7.noarch type=AVC msg=audit(1518816172.126:1318): avc: denied { connectto } for pid=32717 comm="ovs-vswitchd" path="/tmp/vhost0" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:svirt_t:s0:c106,c530 tclass=unix_stream_socket type=AVC msg=audit(1518816173.126:1319): avc: denied { connectto } for pid=32717 comm="ovs-vswitchd" path="/tmp/vhost0" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:svirt_t:s0:c106,c530 tclass=unix_stream_socket type=AVC msg=audit(1518816174.126:1320): avc: denied { connectto } for pid=32717 comm="ovs-vswitchd" path="/tmp/vhost0" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:svirt_t:s0:c106,c530 tclass=unix_stream_socket type=AVC msg=audit(1518816175.126:1321): avc: denied { connectto } for pid=32717 comm="ovs-vswitchd" path="/tmp/vhost0" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:svirt_t:s0:c106,c530 tclass=unix_stream_socket type=AVC msg=audit(1518816176.127:1322): avc: denied { connectto } for pid=32717 comm="ovs-vswitchd" path="/tmp/vhost0" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:svirt_t:s0:c106,c530 tclass=unix_stream_socket type=AVC msg=audit(1518816177.127:1323): avc: denied { connectto } for pid=32717 comm="ovs-vswitchd" path="/tmp/vhost0" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:svirt_t:s0:c106,c530 tclass=unix_stream_socket
(In reply to Jean-Tsung Hsiao from comment #24) > Hi Lukas, > > Sorry, 190 does not fix the issue. See the following AVC's coming out until > "setenforce 0". > Please see attached below. > Thanks! > Jean Please note that I have changed /etc/libvirt/qemu.conf to fix the other bug: # The group for QEMU processes run by the system instance. It can be # specified in a similar way to user. #group = "root" group = "hugetlbfs" [root@netqe19 vhostuserclient-test]# !ll ll /tmp/vhost* srwxrwxr-x. 1 qemu hugetlbfs 0 Feb 16 16:22 /tmp/vhost0 srwxrwxr-x. 1 qemu hugetlbfs 0 Feb 16 16:23 /tmp/vhost1
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0763