Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 1690783

Summary: SELinux preventing ovs to create/access/manage netlink_netfilter_socket
Product: Red Hat Enterprise Linux Fast Datapath Reporter: Cédric Jeanneret <cjeanner>
Component: openvswitch-selinux-extra-policyAssignee: Aaron Conole <aconole>
Status: CLOSED ERRATA QA Contact: Ofer Blaut <oblaut>
Severity: high Docs Contact:
Priority: high    
Version: FDP 19.ACC: ctrautma, fhallal, jiqiu, jpichon, oblaut, pvauter, qding, rkhan, tredaelli, twilson
Target Milestone: ---Keywords: Triaged
Target Release: FDP 19.C   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openvswitch-selinux-extra-policy-1.0-12.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-05 14:55:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Cédric Jeanneret 2019-03-20 09:00:04 UTC 
Description of problem:
While running Tempest against an osp15 deployed on rhel8, we can see the following denials:

type=AVC msg=audit(1553069489.230:3828): avc:  denied  { create } for  pid=11435 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_netfilter_socket permissive=1     
type=AVC msg=audit(1553069489.230:3829): avc:  denied  { setopt } for  pid=11435 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_netfilter_socket permissive=1     
type=AVC msg=audit(1553069489.230:3830): avc:  denied  { getopt } for  pid=11435 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_netfilter_socket permissive=1     
type=AVC msg=audit(1553069489.230:3831): avc:  denied  { connect } for  pid=11435 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_netfilter_socket permissive=1    
type=AVC msg=audit(1553069489.230:3832): avc:  denied  { getattr } for  pid=11435 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_netfilter_socket permissive=1    
type=AVC msg=audit(1553070010.478:5775): avc:  denied  { create } for  pid=11435 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_netfilter_socket permissive=1     
type=AVC msg=audit(1553070010.478:5776): avc:  denied  { setopt } for  pid=11435 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_netfilter_socket permissive=1     
type=AVC msg=audit(1553070010.478:5777): avc:  denied  { getopt } for  pid=11435 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_netfilter_socket permissive=1     
type=AVC msg=audit(1553070010.478:5778): avc:  denied  { connect } for  pid=11435 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_netfilter_socket permissive=1    
type=AVC msg=audit(1553070010.478:5779): avc:  denied  { getattr } for  pid=11435 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_netfilter_socket permissive=1    



Version-Release number of selected component (if applicable):
openvswitch-selinux-extra-policy-1.0-10.el8fdb.noarch

How reproducible:
Always

Steps to Reproduce:
1. deploy an osp15 standalone in permissive mode
2. run tempest
3. looks in /var/log/audit/audit.log

Actual results:
We can see a list of denials

Expected results:
audit.log should not have those entries.


Additional info:

The policy looks like:
require {
        type openvswitch_t;
        class netlink_netfilter_socket { connect create getattr getopt setopt };
}

#============= openvswitch_t ==============
allow openvswitch_t self:netlink_netfilter_socket { connect create getattr getopt setopt };
Comment 2 Aaron Conole 2019-05-06 14:07:57 UTC 
Will change release date until 19.D since upstream didn't ack the patch until too late to make the deadline.
Comment 4 Aaron Conole 2019-05-28 12:26:12 UTC 
*** Bug 1714161 has been marked as a duplicate of this bug. ***
Comment 6 Jiying Qiu 2019-06-03 06:50:05 UTC 
verified with openvswitch-selinux-extra-policy-1.0-12.el8fdp.noarch.rpm.
Comment 8 errata-xmlrpc 2019-06-05 14:55:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:1387