Created attachment 1415743 [details] audit log Description of problem: After OVN fresh install I saw AVC's errors: /var/log/audit/audit.log:type=AVC msg=audit(1522560978.031:266626): avc: denied { read } for pid=378856 comm="sshd" name="lastlog" dev="vda2" ino=9399191 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file /var/log/audit/audit.log:type=AVC msg=audit(1522560978.089:266632): avc: denied { read } for pid=378856 comm="sshd" name="lastlog" dev="vda2" ino=9399191 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file /var/log/audit/audit.log:type=AVC msg=audit(1522560978.090:266633): avc: denied { read write } for pid=378856 comm="sshd" name="lastlog" dev="vda2" ino=9399191 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file Version-Release number of selected component (if applicable): 13 -p 2018-03-20.2 rpm -qa | grep selinux libselinux-ruby-2.5-12.el7.x86_64 selinux-policy-targeted-3.13.1-192.el7.noarch libselinux-utils-2.5-12.el7.x86_64 openstack-selinux-0.8.14-0.20180221131810.4e6703e.el7ost.noarch container-selinux-2.55-1.el7.noarch ceph-selinux-12.2.1-46.el7cp.x86_64 libselinux-2.5-12.el7.x86_64 libselinux-python-2.5-12.el7.x86_64 selinux-policy-3.13.1-192.el7.noarch How reproducible: Steps to Reproduce: 1. Deployment with at least 3 controllers 2 compute with OVN configuration 2. grep -i AVC -r /var/log/audit/ 3. create a network, router and vm 4. grep -i AVC -r /var/log/audit/ Actual results: Expected results: Additional info:
[root@localhost ~]# ls -lZ /var/log/lastlog -rw-r--r--. root root system_u:object_r:lastlog_t:s0 /var/log/lastlog Whatever's (re)creating it should be calling restorecon. Were it the correct label, this would work: allow sshd_t lastlog_t : file { ioctl read write create getattr setattr lock append open } ;
*** This bug has been marked as a duplicate of bug 1543914 ***