Hide Forgot
Description of problem: RHOS14 , 3 controllers , 2 computes. Looks like net_broadcast action blocked. SELinux is preventing /usr/sbin/ovs-vswitchd from using the net_broadcast capability. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that ovs-vswitchd should have the net_broadcast capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ovs-vswitchd' --raw | audit2allow -M my-ovsvswitchd # semodule -i my-ovsvswitchd.pp Additional Information: Source Context system_u:system_r:openvswitch_t:s0 Target Context system_u:system_r:openvswitch_t:s0 Target Objects Unknown [ capability ] Source ovs-vswitchd Source Path /usr/sbin/ovs-vswitchd Port <Unknown> Host <Unknown> Source RPM Packages openvswitch2.10-2.10.0-21.el7fdn.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-229.el7_6.5.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name compute-0 Platform Linux compute-0 3.10.0-957.el7.x86_64 #1 SMP Thu Oct 4 20:48:51 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-11-19 14:58:05 UTC Last Seen 2018-11-19 14:58:05 UTC Local ID 6e587513-edbc-4e46-95cb-126e479d3c07 Raw Audit Messages type=AVC msg=audit(1542639485.823:28): avc: denied { net_broadcast } for pid=3370 comm="ovs-vswitchd" capability=11 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=0 type=SYSCALL msg=audit(1542639485.823:28): arch=x86_64 syscall=setsockopt success=no exit=EPERM a0=10 a1=10e a2=8 a3=7fff172e93d4 items=0 ppid=3369 pid=3370 auid=4294967295 uid=990 gid=1000 euid=990 suid=990 fsuid=990 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm=ovs-vswitchd exe=/usr/sbin/ovs-vswitchd subj=system_u:system_r:openvswitch_t:s0 key=(null) Hash: ovs-vswitchd,openvswitch_t,openvswitch_t,capability,net_broadcast -------------------------------------------------------------------------------- Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Adding Aaron, who maintains openvswitch-selinux-extra-policy
I think this is likely the same issues as 1642591 (https://bugzilla.redhat.com/show_bug.cgi?id=1642591) Was the system in question built from an image? We have had net_broadcast in since 1.0-5.
Hello Litman, let me apologize for the long silence about this bug. I would like to ask you whether you are still experiencing the iussue. I would also like to know more details - have you built the system from an image (see Aaron's comment above - the net_broadcast is in openvswitch-selinux-extra-policy since 1.0-5)? Thank you in advance Zoli Caplovic
Hello Litman, I would like to ask you whether you are still experiencing the issue. I would also like to know more details - have you built the system from an image (see Aaron's comment above - the net_broadcast is in openvswitch-selinux-extra-policy since 1.0-5)? Thank you in advance Zoli Caplovic
It seems like the rule resolving this was also added to openstack-selinux [1] in the meantime and present since 0.8.17, which should be available to OSP14 since z1. Based on this I think it's okay to close this bug, but feel free to reopen if that is not the case. Thank you. [1] https://github.com/redhat-openstack/openstack-selinux/blob/master/os-podman.te#L21