Bug 1569347 - oVirt 4.2.2-3 selinux denials on openvswitch when adding host
Summary: oVirt 4.2.2-3 selinux denials on openvswitch when adding host
Keywords:
Status: CLOSED DUPLICATE of bug 1560436
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: General
Version: 4.2.3.2
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: bugs@ovirt.org
QA Contact: Meni Yakove
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-19 06:25 UTC by Sam McLeod
Modified: 2018-04-19 23:16 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-19 19:38:17 UTC
oVirt Team: Network


Attachments (Terms of Use)

Description Sam McLeod 2018-04-19 06:25:22 UTC
My apologies in advance for not being quite sure under which part of oVirt / OVS to log this bug.

Description of problem:

Adding new hosts fails under oVirt 4.2.2-3.

The web UI gives no information why the 'Install' fails - however when inspecting the install log on the engine it appears openvswitch fails to create it's empty / initial database due to a SELinux denial.

Version-Release number of selected component (if applicable):

CentOS Minimal Install.
Self-hosted engine.

openvswitch-ovn-host-2.9.0-3.el7.x86_64
ovirt-imageio-daemon-1.2.2-0.el7.centos.noarch
ovirt-host-4.2.2-2.el7.centos.x86_64
python-ovirt-engine-sdk4-4.2.4-2.el7.centos.x86_64
ovirt-host-deploy-1.7.3-1.el7.centos.noarch
python2-openvswitch-2.9.0-3.el7.noarch
ovirt-release42-4.2.2-3.el7.centos.noarch
ovirt-host-dependencies-4.2.2-2.el7.centos.x86_64
ovirt-vmconsole-host-1.0.4-1.el7.noarch
ovirt-engine-sdk-python-3.6.9.1-1.el7.noarch
ovirt-setup-lib-1.1.4-1.el7.centos.noarch
ovirt-vmconsole-1.0.4-1.el7.noarch
ovirt-hosted-engine-ha-2.2.10-1.el7.centos.noarch
cockpit-ovirt-dashboard-0.11.20-1.el7.centos.noarch
openvswitch-2.9.0-3.el7.x86_64
ovirt-hosted-engine-setup-2.2.16-1.el7.centos.noarch
openvswitch-ovn-common-2.9.0-3.el7.x86_64
ovirt-provider-ovn-driver-1.2.9-1.el7.centos.noarch
ovirt-engine-appliance-4.2-20180329.1.el7.centos.noarch
ovirt-imageio-common-1.2.2-0.el7.centos.noarch

How reproducible:

Every time

Steps to Reproduce:
1. CentOS minimal install
2. In UI of existing oVirt engine, add new host
3. New host will fail to install
4. Inspect of /var/log/audit/audit.log shows SELinux denials on openvswitch

Actual results:

Openvswitch should be able to start and allow the install to proceed.

Expected results:

Openvswitch cannot start and the install fails.


Additional info:

journalctl:

Journal:

-- The result is assert.
Apr 19 16:10:11 s1-b12.my.fqdn.com systemd[1]: ovsdb-server.service holdoff time over, scheduling restart.
Apr 19 16:10:11 s1-b12.my.fqdn.com systemd[1]: Cannot add dependency job for unit lvm2-lvmetad.socket, ignoring: Unit is masked.
Apr 19 16:10:11 s1-b12.my.fqdn.com systemd[1]: start request repeated too quickly for ovsdb-server.service
Apr 19 16:10:11 s1-b12.my.fqdn.com systemd[1]: Failed to start Open vSwitch Database Unit.
-- Subject: Unit ovsdb-server.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit ovsdb-server.service has failed.
--
-- The result is failed.
Apr 19 16:10:11 s1-b12.my.fqdn.com systemd[1]: Unit ovsdb-server.service entered failed state.
Apr 19 16:10:11 s1-b12.my.fqdn.com systemd[1]: ovsdb-server.service failed.
Apr 19 16:10:11 s1-b12.my.fqdn.com systemd[1]: Assertion failed for Open vSwitch Delete Transient Ports.
-- Subject: Unit ovs-delete-transient-ports.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit ovs-delete-transient-ports.service has failed.
--

audit.log:

type=AVC msg=audit(1524118211.426:2419): avc:  denied  { create } for  pid=3238 comm="runuser" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_audit_socket permissive=0


audit2allow:

# echo "type=AVC msg=audit(1524118211.426:2419): avc:  denied  { create } for  pid=3238 comm="runuser" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_audit_socket permissive=0" | audit2allow


#============= openvswitch_t ==============
allow openvswitch_t self:netlink_audit_socket create;

Comment 1 Dan Kenigsberg 2018-04-19 19:38:17 UTC
I bet that this is another dup of bug 1560436.
Please upgrade selinux-policy-targeted to 3.13.1-166.el7_4.9.

*** This bug has been marked as a duplicate of bug 1560436 ***

Comment 2 Sam McLeod 2018-04-19 23:16:32 UTC
(In reply to Dan Kenigsberg from comment #1)
> I bet that this is another dup of bug 1560436.
> Please upgrade selinux-policy-targeted to 3.13.1-166.el7_4.9.
> 
> *** This bug has been marked as a duplicate of bug 1560436 ***

Bingo!

Looks like the updated package was only released (on CentOS) overnight:

# grep selinux-policy-targeted.noarch /var/log/yum.log
Apr 20 03:51:43 Updated: selinux-policy-targeted.noarch 3.13.1-166.el7_4.9

I can confirm that this fixes the issue.

Thanks Dan.


Note You need to log in before you can comment on or make changes to this bug.