Bug 1651329 - RHOS14: selinux denies ovs-vswitchd net_broadcast capability
Summary: RHOS14: selinux denies ovs-vswitchd net_broadcast capability
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux
Version: 14.0 (Rocky)
Hardware: Unspecified
OS: Linux
medium
high
Target Milestone: ---
: ---
Assignee: Zoli Caplovic
QA Contact: Jon Schlueter
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-19 17:31 UTC by bkopilov
Modified: 2019-12-02 11:09 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-12-02 11:09:27 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description bkopilov 2018-11-19 17:31:44 UTC
Description of problem:

RHOS14 , 3 controllers  , 2 computes.

Looks like net_broadcast action blocked.



SELinux is preventing /usr/sbin/ovs-vswitchd from using the net_broadcast capability.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that ovs-vswitchd should have the net_broadcast capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ovs-vswitchd' --raw | audit2allow -M my-ovsvswitchd
# semodule -i my-ovsvswitchd.pp


Additional Information:
Source Context                system_u:system_r:openvswitch_t:s0
Target Context                system_u:system_r:openvswitch_t:s0
Target Objects                Unknown [ capability ]
Source                        ovs-vswitchd
Source Path                   /usr/sbin/ovs-vswitchd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           openvswitch2.10-2.10.0-21.el7fdn.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-229.el7_6.5.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     compute-0
Platform                      Linux compute-0 3.10.0-957.el7.x86_64 #1 SMP Thu
                              Oct 4 20:48:51 UTC 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2018-11-19 14:58:05 UTC
Last Seen                     2018-11-19 14:58:05 UTC
Local ID                      6e587513-edbc-4e46-95cb-126e479d3c07

Raw Audit Messages
type=AVC msg=audit(1542639485.823:28): avc:  denied  { net_broadcast } for  pid=3370 comm="ovs-vswitchd" capability=11  scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=0


type=SYSCALL msg=audit(1542639485.823:28): arch=x86_64 syscall=setsockopt success=no exit=EPERM a0=10 a1=10e a2=8 a3=7fff172e93d4 items=0 ppid=3369 pid=3370 auid=4294967295 uid=990 gid=1000 euid=990 suid=990 fsuid=990 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm=ovs-vswitchd exe=/usr/sbin/ovs-vswitchd subj=system_u:system_r:openvswitch_t:s0 key=(null)

Hash: ovs-vswitchd,openvswitch_t,openvswitch_t,capability,net_broadcast

--------------------------------------------------------------------------------

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Lon Hohberger 2018-11-19 19:48:52 UTC
Adding Aaron, who maintains openvswitch-selinux-extra-policy

Comment 2 Aaron Conole 2018-11-29 20:57:29 UTC
I think this is likely the same issues as 1642591 (https://bugzilla.redhat.com/show_bug.cgi?id=1642591)

Was the system in question built from an image?  We have had net_broadcast in since 1.0-5.

Comment 6 Zoli Caplovic 2019-05-07 15:09:17 UTC
Hello Litman, 

let me apologize for the long silence about this bug. I would like to ask you whether you are still experiencing the iussue. I would also like to know more details - have you built the system from an image (see Aaron's comment above - the net_broadcast is in openvswitch-selinux-extra-policy since 1.0-5)?

Thank you in advance

Zoli Caplovic

Comment 8 Zoli Caplovic 2019-08-23 09:49:44 UTC
Hello Litman, 

I would like to ask you whether you are still experiencing the issue. I would also like to know more details - have you built the system from an image (see Aaron's comment above - the net_broadcast is in openvswitch-selinux-extra-policy since 1.0-5)?

Thank you in advance

Zoli Caplovic

Comment 9 Zoli Caplovic 2019-11-27 14:44:09 UTC

Hello Litman, 

I would like to ask you whether you are still experiencing the issue. I would also like to know more details - have you built the system from an image (see Aaron's comment above - the net_broadcast is in openvswitch-selinux-extra-policy since 1.0-5)?

Thank you in advance

Zoli Caplovic

Comment 10 Julie Pichon 2019-12-02 11:09:27 UTC
It seems like the rule resolving this was also added to openstack-selinux [1] in the meantime and present since 0.8.17, which should be available to OSP14 since z1. Based on this I think it's okay to close this bug, but feel free to reopen if that is not the case. Thank you.

[1] https://github.com/redhat-openstack/openstack-selinux/blob/master/os-podman.te#L21


Note You need to log in before you can comment on or make changes to this bug.