My apologies in advance for not being quite sure under which part of oVirt / OVS to log this bug.

Description of problem:

Adding new hosts fails under oVirt 4.2.2-3.

The web UI gives no information why the 'Install' fails - however when inspecting the install log on the engine it appears openvswitch fails to create it's empty / initial database due to a SELinux denial.

Version-Release number of selected component (if applicable):

CentOS Minimal Install.
Self-hosted engine.

openvswitch-ovn-host-2.9.0-3.el7.x86_64
ovirt-imageio-daemon-1.2.2-0.el7.centos.noarch
ovirt-host-4.2.2-2.el7.centos.x86_64
python-ovirt-engine-sdk4-4.2.4-2.el7.centos.x86_64
ovirt-host-deploy-1.7.3-1.el7.centos.noarch
python2-openvswitch-2.9.0-3.el7.noarch
ovirt-release42-4.2.2-3.el7.centos.noarch
ovirt-host-dependencies-4.2.2-2.el7.centos.x86_64
ovirt-vmconsole-host-1.0.4-1.el7.noarch
ovirt-engine-sdk-python-3.6.9.1-1.el7.noarch
ovirt-setup-lib-1.1.4-1.el7.centos.noarch
ovirt-vmconsole-1.0.4-1.el7.noarch
ovirt-hosted-engine-ha-2.2.10-1.el7.centos.noarch
cockpit-ovirt-dashboard-0.11.20-1.el7.centos.noarch
openvswitch-2.9.0-3.el7.x86_64
ovirt-hosted-engine-setup-2.2.16-1.el7.centos.noarch
openvswitch-ovn-common-2.9.0-3.el7.x86_64
ovirt-provider-ovn-driver-1.2.9-1.el7.centos.noarch
ovirt-engine-appliance-4.2-20180329.1.el7.centos.noarch
ovirt-imageio-common-1.2.2-0.el7.centos.noarch

How reproducible:

Every time

Steps to Reproduce:
1. CentOS minimal install
2. In UI of existing oVirt engine, add new host
3. New host will fail to install
4. Inspect of /var/log/audit/audit.log shows SELinux denials on openvswitch

Actual results:

Openvswitch should be able to start and allow the install to proceed.

Expected results:

Openvswitch cannot start and the install fails.


Additional info:

journalctl:

Journal:

-- The result is assert.
Apr 19 16:10:11 s1-b12.my.fqdn.com systemd[1]: ovsdb-server.service holdoff time over, scheduling restart.
Apr 19 16:10:11 s1-b12.my.fqdn.com systemd[1]: Cannot add dependency job for unit lvm2-lvmetad.socket, ignoring: Unit is masked.
Apr 19 16:10:11 s1-b12.my.fqdn.com systemd[1]: start request repeated too quickly for ovsdb-server.service
Apr 19 16:10:11 s1-b12.my.fqdn.com systemd[1]: Failed to start Open vSwitch Database Unit.
-- Subject: Unit ovsdb-server.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit ovsdb-server.service has failed.
--
-- The result is failed.
Apr 19 16:10:11 s1-b12.my.fqdn.com systemd[1]: Unit ovsdb-server.service entered failed state.
Apr 19 16:10:11 s1-b12.my.fqdn.com systemd[1]: ovsdb-server.service failed.
Apr 19 16:10:11 s1-b12.my.fqdn.com systemd[1]: Assertion failed for Open vSwitch Delete Transient Ports.
-- Subject: Unit ovs-delete-transient-ports.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit ovs-delete-transient-ports.service has failed.
--

audit.log:

type=AVC msg=audit(1524118211.426:2419): avc:  denied  { create } for  pid=3238 comm="runuser" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_audit_socket permissive=0


audit2allow:

# echo "type=AVC msg=audit(1524118211.426:2419): avc:  denied  { create } for  pid=3238 comm="runuser" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_audit_socket permissive=0" | audit2allow


#============= openvswitch_t ==============
allow openvswitch_t self:netlink_audit_socket create;