Description of problem: While running Tempest against an osp15 deployed on rhel8, we can see the following denials: type=AVC msg=audit(1553069489.230:3828): avc: denied { create } for pid=11435 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_netfilter_socket permissive=1 type=AVC msg=audit(1553069489.230:3829): avc: denied { setopt } for pid=11435 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_netfilter_socket permissive=1 type=AVC msg=audit(1553069489.230:3830): avc: denied { getopt } for pid=11435 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_netfilter_socket permissive=1 type=AVC msg=audit(1553069489.230:3831): avc: denied { connect } for pid=11435 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_netfilter_socket permissive=1 type=AVC msg=audit(1553069489.230:3832): avc: denied { getattr } for pid=11435 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_netfilter_socket permissive=1 type=AVC msg=audit(1553070010.478:5775): avc: denied { create } for pid=11435 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_netfilter_socket permissive=1 type=AVC msg=audit(1553070010.478:5776): avc: denied { setopt } for pid=11435 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_netfilter_socket permissive=1 type=AVC msg=audit(1553070010.478:5777): avc: denied { getopt } for pid=11435 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_netfilter_socket permissive=1 type=AVC msg=audit(1553070010.478:5778): avc: denied { connect } for pid=11435 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_netfilter_socket permissive=1 type=AVC msg=audit(1553070010.478:5779): avc: denied { getattr } for pid=11435 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_netfilter_socket permissive=1 Version-Release number of selected component (if applicable): openvswitch-selinux-extra-policy-1.0-10.el8fdb.noarch How reproducible: Always Steps to Reproduce: 1. deploy an osp15 standalone in permissive mode 2. run tempest 3. looks in /var/log/audit/audit.log Actual results: We can see a list of denials Expected results: audit.log should not have those entries. Additional info: The policy looks like: require { type openvswitch_t; class netlink_netfilter_socket { connect create getattr getopt setopt }; } #============= openvswitch_t ============== allow openvswitch_t self:netlink_netfilter_socket { connect create getattr getopt setopt };
Will change release date until 19.D since upstream didn't ack the patch until too late to make the deadline.
*** Bug 1714161 has been marked as a duplicate of this bug. ***
verified with openvswitch-selinux-extra-policy-1.0-12.el8fdp.noarch.rpm.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:1387