Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1642591

Summary: openvswitch fails to start on nova compute nodes due to selinux failure
Product: Red Hat OpenStack Reporter: Lars Kellogg-Stedman <lars>
Component: openvswitch-selinux-extra-policyAssignee: Aaron Conole <aconole>
Status: CLOSED ERRATA QA Contact: Ofer Blaut <oblaut>
Severity: high Docs Contact:
Priority: medium    
Version: 13.0 (Queens)CC: atelang, mariel, ragiman, rkhan, tredaelli
Target Milestone: z4Keywords: Triaged, ZStream
Target Release: 13.0 (Queens)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openvswitch-selinux-extra-policy-1.0-8.el7fdp Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1647102 (view as bug list) Environment:
Last Closed: 2019-01-16 17:53:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1647102    

Description Lars Kellogg-Stedman 2018-10-24 18:12:01 UTC 
Description of problem:

Openvswitch fails to start on OSP 13 overcloud nodes (split-stack install) due to the following selinux AVC:

avc:  denied  { write } for  pid=351746 comm="ovsdb-server" name="openvswitch" dev="tmpfs" ino=84668 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_var_run_t:s0 tclass=dir

This is preventing access to /var/run/openvswitch.

Version-Release number of selected component (if applicable):

openvswitch-selinux-extra-policy-1.0-5.el7fdp.noarch
python-openvswitch-2.9.0-56.el7fdp.noarch
openstack-neutron-openvswitch-12.0.3-5.el7ost.noarch
openvswitch-2.9.0-56.el7fdp.x86_64
Comment 1 Lars Kellogg-Stedman 2018-10-24 23:04:50 UTC 
Installing the following selinux module allows openvswitch to start:

module moc-openvswitch 1.0;

require {
        type container_var_run_t;
        type openvswitch_t;
        class dir write;
}

#============= openvswitch_t ==============
allow openvswitch_t container_var_run_t:dir write;
Comment 4 Terry Wilson 2018-11-09 15:22:02 UTC 
*** Bug 1601152 has been marked as a duplicate of this bug. ***
Comment 5 Lars Kellogg-Stedman 2018-11-09 15:29:23 UTC 
*** Bug 1601152 has been marked as a duplicate of this bug. ***
Comment 25 errata-xmlrpc 2019-01-16 17:53:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0088