Bug 1707840 - [OSP15] ML2 OVS Unable to boot guest instances with vhostuser due to selinux policy
Summary: [OSP15] ML2 OVS Unable to boot guest instances with vhostuser due to selinux ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux
Version: 15.0 (Stein)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: beta
: 15.0 (Stein)
Assignee: Lon Hohberger
QA Contact: nlevinki
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-05-08 14:16 UTC by Vadim Khitrin
Modified: 2021-02-08 20:18 UTC (History)
9 users (show)

Fixed In Version: openstack-selinux-0.8.19-0.20190515180355.e1c7511.el8ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-09-21 11:21:58 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2019:2811 0 None None None 2019-09-21 11:22:17 UTC

Description Vadim Khitrin 2019-05-08 14:16:02 UTC
Description of problem:

When deploying overcloud with ML2 OVS backend, guest instances with vhostuser interface will fail to spawn due to selinux policy.

selinux audit:

[root@compute-0 ~]# sealert -l 56512430-6c70-4223-a639-f56b1524ee65
SELinux is preventing /usr/sbin/ovs-vswitchd from 'read, write' accesses on the unix_stream_socket unix_stream_socket.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that ovs-vswitchd should be allowed read write access on the unix_stream_socket unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'vhost-events' --raw | audit2allow -M my-vhostevents
# semodule -X 300 -i my-vhostevents.pp


Additional Information:
Source Context                system_u:system_r:openvswitch_t:s0
Target Context                system_u:system_r:spc_t:s0
Target Objects                unix_stream_socket [ unix_stream_socket ]
Source                        vhost-events
Source Path                   /usr/sbin/ovs-vswitchd
Port                          <Unknown>
Host                          compute-0
Source RPM Packages           openvswitch2.11-2.11.0-0.20190129gitd3a10db.el8fdb
                              .x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.1-61.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     compute-0
Platform                      Linux compute-0 4.18.0-80.el8.x86_64 #1 SMP Wed
                              Mar 13 12:02:46 UTC 2019 x86_64 x86_64
Alert Count                   1
First Seen                    2019-05-08 13:38:45 UTC
Last Seen                     2019-05-08 13:38:45 UTC
Local ID                      56512430-6c70-4223-a639-f56b1524ee65

Raw Audit Messages
type=AVC msg=audit(1557322725.873:12375): avc:  denied  { read write } for  pid=8786 comm="vhost-events" path="socket:[16378370]" dev="sockfs" ino=16378370 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=unix_stream_socket permissive=1


type=SYSCALL msg=audit(1557322725.873:12375): arch=x86_64 syscall=recvmsg success=yes exit=ENOMEM a0=6a a1=7f7692ffc6c0 a2=0 a3=7f7692ffc6a0 items=0 ppid=1 pid=8786 auid=4294967295 uid=987 gid=42477 euid=987 suid=987 fsuid=987 egid=42477 sgid=42477 fsgid=42477 tty=(none) ses=4294967295 comm=vhost-events exe=/usr/sbin/ovs-vswitchd subj=system_u:system_r:openvswitch_t:s0 key=(null)

Hash: vhost-events,openvswitch_t,spc_t,unix_stream_socket,read,write

When setting selinux to Permissive or creating policies from above audit, we are able to boot the instance successfully.

Version-Release number of selected component (if applicable):
compose: RHOS_TRUNK-15.0-RHEL-8-20190423.n.1

rpm -qa | grep openvswitch
rhosp-openvswitch-2.11-0.1.el8ost.noarch
network-scripts-openvswitch2.11-2.11.0-0.20190129gitd3a10db.el8fdb.x86_64
openvswitch-selinux-extra-policy-1.0-10.el8fdb.noarch
openvswitch2.11-2.11.0-0.20190129gitd3a10db.el8fdb.x86_64


How reproducible:
always


Steps to Reproduce:
1. Deploy Overcloud with ML2 OVS backend
2. Spawn guest instance with vhostuser interface

Actual results:
Unable to spawn guest


Expected results:
Successful spawn of guest

Additional info:
Will provide sosreports in comments

Comment 1 Saravanan KR 2019-05-08 14:21:51 UTC
I executed below commands in the compute node with selinux mode a Enforcing, I was able to create the VMs successfully.
    ausearch -c 'vhost-events' --raw | audit2allow -M my-vhostevents
    semodule -X 300 -i my-vhostevents.pp

Comment 3 Lon Hohberger 2019-05-15 15:22:11 UTC
curiously: 

#!!!! This avc has a dontaudit rule in the current policy
allow openvswitch_t spc_t:unix_stream_socket { read write };

Comment 4 Lon Hohberger 2019-05-15 15:37:58 UTC
OVS doesn't require container-selinux, but spc_t is defined there. However, openstack-selinux does require container-selinux.

Comment 5 Timothy Redaelli 2019-05-15 15:57:47 UTC
Yes,
openvswitch-selinux-extra-policy-1.0-10 requires container-selinux

Comment 6 Aaron Conole 2019-05-15 16:00:07 UTC
We are eliminating the dependency to containers-selinux, because it breaks some layered products.

Comment 7 Lon Hohberger 2019-05-15 17:43:18 UTC
No problem, since it's specific to openstack container configuration, I placed it here for now:

https://github.com/redhat-openstack/openstack-selinux/pull/32

Comment 14 errata-xmlrpc 2019-09-21 11:21:58 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:2811


Note You need to log in before you can comment on or make changes to this bug.