1690783 – SELinux preventing ovs to create/access/manage netlink_netfilter_socket

The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 1690783 - SELinux preventing ovs to create/access/manage netlink_netfilter_socket

Summary: SELinux preventing ovs to create/access/manage netlink_netfilter_socket

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux Fast Datapath
Classification:	Red Hat
Component:	openvswitch-selinux-extra-policy
Sub Component:
Version:	FDP 19.A
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	FDP 19.C
Assignee:	Aaron Conole
QA Contact:	Ofer Blaut
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1714161 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-03-20 09:00 UTC by Cédric Jeanneret
Modified:	2020-01-05 12:40 UTC (History)
CC List:	10 users (show)
Fixed In Version:	openvswitch-selinux-extra-policy-1.0-12.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-06-05 14:55:10 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:1387	0	None	None	None	2019-06-05 14:55:12 UTC

Description Cédric Jeanneret 2019-03-20 09:00:04 UTC

Description of problem:
While running Tempest against an osp15 deployed on rhel8, we can see the following denials:

type=AVC msg=audit(1553069489.230:3828): avc:  denied  { create } for  pid=11435 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_netfilter_socket permissive=1     
type=AVC msg=audit(1553069489.230:3829): avc:  denied  { setopt } for  pid=11435 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_netfilter_socket permissive=1     
type=AVC msg=audit(1553069489.230:3830): avc:  denied  { getopt } for  pid=11435 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_netfilter_socket permissive=1     
type=AVC msg=audit(1553069489.230:3831): avc:  denied  { connect } for  pid=11435 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_netfilter_socket permissive=1    
type=AVC msg=audit(1553069489.230:3832): avc:  denied  { getattr } for  pid=11435 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_netfilter_socket permissive=1    
type=AVC msg=audit(1553070010.478:5775): avc:  denied  { create } for  pid=11435 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_netfilter_socket permissive=1     
type=AVC msg=audit(1553070010.478:5776): avc:  denied  { setopt } for  pid=11435 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_netfilter_socket permissive=1     
type=AVC msg=audit(1553070010.478:5777): avc:  denied  { getopt } for  pid=11435 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_netfilter_socket permissive=1     
type=AVC msg=audit(1553070010.478:5778): avc:  denied  { connect } for  pid=11435 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_netfilter_socket permissive=1    
type=AVC msg=audit(1553070010.478:5779): avc:  denied  { getattr } for  pid=11435 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_netfilter_socket permissive=1    



Version-Release number of selected component (if applicable):
openvswitch-selinux-extra-policy-1.0-10.el8fdb.noarch

How reproducible:
Always

Steps to Reproduce:
1. deploy an osp15 standalone in permissive mode
2. run tempest
3. looks in /var/log/audit/audit.log

Actual results:
We can see a list of denials

Expected results:
audit.log should not have those entries.


Additional info:

The policy looks like:
require {
        type openvswitch_t;
        class netlink_netfilter_socket { connect create getattr getopt setopt };
}

#============= openvswitch_t ==============
allow openvswitch_t self:netlink_netfilter_socket { connect create getattr getopt setopt };

Comment 2 Aaron Conole 2019-05-06 14:07:57 UTC

Will change release date until 19.D since upstream didn't ack the patch until too late to make the deadline.

Comment 4 Aaron Conole 2019-05-28 12:26:12 UTC

*** Bug 1714161 has been marked as a duplicate of this bug. ***

Comment 6 Jiying Qiu 2019-06-03 06:50:05 UTC

verified with openvswitch-selinux-extra-policy-1.0-12.el8fdp.noarch.rpm.

Comment 8 errata-xmlrpc 2019-06-05 14:55:10 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:1387

Note You need to log in before you can comment on or make changes to this bug.