1540702 – Starting an OVS guest encountered "failed to bind socket to /tmp/vhost0: Permission denied"

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1540702 - Starting an OVS guest encountered "failed to bind socket to /tmp/vhost0: Permission denied"

Summary: Starting an OVS guest encountered "failed to bind socket to /tmp/vhost0: Perm...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.4
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1542673 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-01-31 19:48 UTC by Jean-Tsung Hsiao
Modified:	2018-04-10 12:50 UTC (History)
CC List:	12 users (show)
Fixed In Version:	selinux-policy-3.13.1-191.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-10 12:49:36 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:0763	0	None	None	None	2018-04-10 12:50:32 UTC

Description Jean-Tsung Hsiao 2018-01-31 19:48:35 UTC

Description of problem:Sta rting an OVS guest encountered "failed to bind socket to /tmp/vhost0: Permission denied"

type=AVC msg=audit(1517427472.598:17306): avc:  denied  { create } for  pid=135596 comm="qemu-kvm" name="vhost0" scontext=system_u:system_r:svirt_t:s0:c495,c759 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file

This happened when Selinux is set to Enforcing. A workaround is set Selinux to Permissive.

Version-Release number of selected component (if applicable):
root@netqe10 vxlan-tunnel]# uname -a
Linux netqe10.knqe.lab.eng.bos.redhat.com 3.10.0-693.11.6.el7.x86_64 #1 SMP Thu Dec 28 14:23:39 EST 2017 x86_64 x86_64 x86_64 GNU/Linux

[root@netqe10 vxlan-tunnel]# rpm -q openvswitch
openvswitch-2.7.3-3.git20180112.el7fdp.x86_64

[root@netqe10 vxlan-tunnel]# rpm -qa | grep -i selinux
libselinux-2.5-11.el7.x86_64
libselinux-python-2.5-11.el7.x86_64
selinux-policy-targeted-3.13.1-166.el7_4.7.noarch
openstack-selinux-0.8.13-1.el7ost.noarch
selinux-policy-3.13.1-166.el7_4.7.noarch
libselinux-utils-2.5-11.el7.x86_64
container-selinux-2.41-1.git126c1c0.el7.noarch

How reproducible:Reproducible


Steps to Reproduce:
1. Config a OVS-dpdk bridge with dpdkvhostuserclient, and an NFV guest with vhostuser in server mode.
2. Start guest while Selinux=Enforcing.
3.

Actual results: Starting guest got this issue.


Expected results: Starting guest should be successful with Selinux=Enforcing.


Additional info:

Comment 2 Jean-Tsung Hsiao 2018-01-31 22:41:47 UTC

Got the same issue With OVS 2.9.0-0.3.20180124git26cdc33.el7fdp.x86_64 under 3.10.0-693.11.6.

Comment 3 Milos Malik 2018-02-01 08:24:27 UTC

# rpm -qa selinux\*
selinux-policy-targeted-3.13.1-186.el7.noarch
selinux-policy-3.13.1-186.el7.noarch
# sesearch -s svirt_t -t tmp_t -c sock_file -T

# sesearch -s svirt_t -t tmp_t -c sock_file -p create -A -C -D

#

Comment 5 Jean-Tsung Hsiao 2018-02-01 16:00:08 UTC

Got the same issue with openvswitch-2.9.0-0.1.20180108git8e3a28c.el7fdp under Rhel7.5 kernel-837.

Comment 12 Lukas Vrabec 2018-02-07 09:09:15 UTC

*** Bug 1542673 has been marked as a duplicate of this bug. ***

Comment 15 Milos Malik 2018-02-08 11:14:36 UTC

QEMU is able to create and manipulate the socket,

# sesearch -s svirt_t -t tmp_t -c sock_file -T
Found 1 semantic te rules:
   type_transition svirt_t tmp_t : sock_file svirt_tmp_t; 

# sesearch -s svirt_t -t svirt_tmp_t -c sock_file -A -C -D
Found 1 semantic av rules:
   allow virt_domain svirt_tmp_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; 

#

but Open vSwitch cannot access the socket as mentioned in comment#8:

# sesearch -s openvswitch_t -t svirt_tmp_t -A -C -D
Found 2 semantic av rules:
   allow openvswitch_t file_type : filesystem getattr ; 
   allow domain tmpfile : file { ioctl read getattr lock append open } ; 

# rpm -qa selinux\*
selinux-policy-targeted-3.13.1-189.el7.noarch
selinux-policy-devel-3.13.1-189.el7.noarch
selinux-policy-3.13.1-189.el7.noarch
#

Comment 16 Aaron Conole 2018-02-08 14:16:15 UTC

Milos,

The AVC:

type=AVC msg=audit(1517427472.598:17306): avc:  denied  { create } for  pid=135596 comm="qemu-kvm" name="vhost0" scontext=system_u:system_r:svirt_t:s0:c495,c759 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file

This reads the source context = svirt_t

Did I misunderstand something?

Comment 17 Milos Malik 2018-02-08 14:36:07 UTC

qemu-kvm processes are labeled svirt_t, but Open vSwitch processes (ovsdb-server and ovs-vswitchd) are labeled openvswitch_t.

Comment 22 Milos Malik 2018-02-15 14:33:29 UTC

Can you re-test the scenario with the latest selinux-policy (3.13.1-189.el7) installed? Does it work?

Thank you

Comment 23 Jean-Tsung Hsiao 2018-02-16 03:50:49 UTC

(In reply to Milos Malik from comment #22)
> Can you re-test the scenario with the latest selinux-policy (3.13.1-189.el7)
> installed? Does it work?
> 
> Thank you

No, it won't work.

Got lots of AVC's like these until "setenforce 0" :

type=AVC msg=audit(1518752799.102:978): avc:  denied  { write } for  pid=14368 comm="ovs-vswitchd" name="vhost0" dev="dm-0" ino=94 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:svirt_tmp_t:s0 tclass=sock_file
type=AVC msg=audit(1518752800.102:979): avc:  denied  { write } for  pid=14368 comm="ovs-vswitchd" name="vhost0" dev="dm-0" ino=94 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:svirt_tmp_t:s0 tclass=sock_file
type=AVC msg=audit(1518752801.102:980): avc:  denied  { write } for  pid=14368 comm="ovs-vswitchd" name="vhost0" dev="dm-0" ino=94 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:svirt_tmp_t:s0 tclass=sock_file
type=AVC msg=audit(1518752802.102:981): avc:  denied  { write } for  pid=14368 comm="ovs-vswitchd" name="vhost0" dev="dm-0" ino=94 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:svirt_tmp_t:s0 tclass=sock_file
type=AVC msg=audit(1518752803.102:982): avc:  denied  { write } for  pid=14368 comm="ovs-vswitchd" name="vhost0" dev="dm-0" ino=94 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:svirt_tmp_t:s0 tclass=sock_file
type=AVC msg=audit(1518752804.102:983): avc:  denied  { write } for  pid=14368 comm="ovs-vswitchd" name="vhost0" dev="dm-0" ino=94 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:svirt_tmp_t:s0 tclass=sock_file

Related packages:

[root@netqe19 vhostuserclient-test]# rpm -qa | grep selinux
libselinux-2.5-12.el7.x86_64
selinux-policy-targeted-3.13.1-189.el7.noarch
libselinux-python-2.5-12.el7.x86_64
libselinux-utils-2.5-12.el7.x86_64
selinux-policy-3.13.1-189.el7.noarch
[root@netqe19 vhostuserclient-test]# rpm -q openvswitch
openvswitch-2.9.0-0.4.20180124git26cdc33.el7fdp.x86_64

Comment 24 Jean-Tsung Hsiao 2018-02-16 21:29:11 UTC

Hi Lukas,

Sorry, 190 does not fix the issue. See the following AVC's coming out until "setenforce 0".
Please see attached below.
Thanks!
Jean
==================================================
[root@netqe19 vhostuserclient-test]# rpm -qa | grep selinux
libselinux-2.5-12.el7.x86_64
libselinux-python-2.5-12.el7.x86_64
selinux-policy-targeted-3.13.1-190.el7.noarch
libselinux-utils-2.5-12.el7.x86_64
selinux-policy-3.13.1-190.el7.noarch

type=AVC msg=audit(1518816172.126:1318): avc:  denied  { connectto } for  pid=32717 comm="ovs-vswitchd" path="/tmp/vhost0" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:svirt_t:s0:c106,c530 tclass=unix_stream_socket
type=AVC msg=audit(1518816173.126:1319): avc:  denied  { connectto } for  pid=32717 comm="ovs-vswitchd" path="/tmp/vhost0" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:svirt_t:s0:c106,c530 tclass=unix_stream_socket
type=AVC msg=audit(1518816174.126:1320): avc:  denied  { connectto } for  pid=32717 comm="ovs-vswitchd" path="/tmp/vhost0" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:svirt_t:s0:c106,c530 tclass=unix_stream_socket
type=AVC msg=audit(1518816175.126:1321): avc:  denied  { connectto } for  pid=32717 comm="ovs-vswitchd" path="/tmp/vhost0" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:svirt_t:s0:c106,c530 tclass=unix_stream_socket
type=AVC msg=audit(1518816176.127:1322): avc:  denied  { connectto } for  pid=32717 comm="ovs-vswitchd" path="/tmp/vhost0" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:svirt_t:s0:c106,c530 tclass=unix_stream_socket
type=AVC msg=audit(1518816177.127:1323): avc:  denied  { connectto } for  pid=32717 comm="ovs-vswitchd" path="/tmp/vhost0" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:svirt_t:s0:c106,c530 tclass=unix_stream_socket

Comment 25 Jean-Tsung Hsiao 2018-02-16 21:41:43 UTC

(In reply to Jean-Tsung Hsiao from comment #24)
> Hi Lukas,
> 
> Sorry, 190 does not fix the issue. See the following AVC's coming out until
> "setenforce 0".
> Please see attached below.
> Thanks!
> Jean
 

Please note that I have changed /etc/libvirt/qemu.conf to fix the other bug:

# The group for QEMU processes run by the system instance. It can be
# specified in a similar way to user.
#group = "root"
group = "hugetlbfs"

[root@netqe19 vhostuserclient-test]# !ll
ll /tmp/vhost*
srwxrwxr-x. 1 qemu hugetlbfs 0 Feb 16 16:22 /tmp/vhost0
srwxrwxr-x. 1 qemu hugetlbfs 0 Feb 16 16:23 /tmp/vhost1

Comment 32 errata-xmlrpc 2018-04-10 12:49:36 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763

Note You need to log in before you can comment on or make changes to this bug.