Bug 1732217 - fail to start openvswitch on rhel8.1 with selinux enable
Summary: fail to start openvswitch on rhel8.1 with selinux enable
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux Fast Datapath
Classification: Red Hat
Component: openvswitch-selinux-extra-policy
Version: FDP 19.E
Hardware: Unspecified
OS: Linux
unspecified
high
Target Milestone: ---
: ---
Assignee: Aaron Conole
QA Contact: haidong li
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-23 03:34 UTC by haidong li
Modified: 2020-01-20 02:06 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-09-13 17:13:33 UTC
Target Upstream Version:


Attachments (Terms of Use)
audit.log (116.60 KB, text/plain)
2019-08-01 03:00 UTC, haidong li
no flags Details

Description haidong li 2019-07-23 03:34:07 UTC
Description of problem:
fail to start openvswitch on rhel8.1 with selinux enable

Version-Release number of selected component (if applicable):
[root@hp-dl380g10-04 ~]# uname -a
Linux hp-dl380g10-04.rhts.eng.pek2.redhat.com 4.18.0-107.el8.x86_64 #1 SMP Fri Jun 14 13:46:34 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
[root@hp-dl380g10-04 images]# rpm -qa| grep openvswitch
kernel-kernel-networking-openvswitch-ovs_qinq_dpdk-1.3-37.noarch
openvswitch-selinux-extra-policy-1.0-16.el8fdp.noarch
openvswitch2.11-2.11.0-18.el8fdp.x86_64
[root@hp-dl380g10-04 images]#

How reproducible:
everytime

Steps to Reproduce:
1.setenforce 1
2.install openvswitch packet
3.systemctl restart openvswitch

Actual results:
[root@hp-dl380g10-04 images]# rpm -ivh http://download-node-02.eng.bos.redhat.com/brewroot/packages/openvswitch2.11/2.11.0/18.el8fdp/x86_64/openvswitch2.11-2.11.0-18.el8fdp.x86_64.rpm
Retrieving http://download-node-02.eng.bos.redhat.com/brewroot/packages/openvswitch2.11/2.11.0/18.el8fdp/x86_64/openvswitch2.11-2.11.0-18.el8fdp.x86_64.rpm


Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:openvswitch2.11-2.11.0-18.el8fdp ################################# [100%]
[root@hp-dl380g10-04 images]# 
[root@hp-dl380g10-04 images]# 
[root@hp-dl380g10-04 images]# systemctl restart openvswitch
A dependency job for openvswitch.service failed. See 'journalctl -xe' for details.
[root@hp-dl380g10-04 images]# journalctl -xe
Jul 22 23:16:11 hp-dl380g10-04.rhts.eng.pek2.redhat.com systemd[1]: ovs-vswitchd.service: Control >
Jul 22 23:16:11 hp-dl380g10-04.rhts.eng.pek2.redhat.com systemd[1]: ovs-vswitchd.service: Failed w>
Jul 22 23:16:11 hp-dl380g10-04.rhts.eng.pek2.redhat.com systemd[1]: Failed to start Open vSwitch F>
-- Subject: Unit ovs-vswitchd.service has failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
-- 
-- Unit ovs-vswitchd.service has failed.
-- 
-- The result is RESULT.
Jul 22 23:16:12 hp-dl380g10-04.rhts.eng.pek2.redhat.com systemd[1]: ovs-vswitchd.service: Service >
Jul 22 23:16:12 hp-dl380g10-04.rhts.eng.pek2.redhat.com systemd[1]: ovs-vswitchd.service: Schedule>
-- Subject: Automatic restarting of a unit has been scheduled
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
-- 
-- Automatic restarting of the unit ovs-vswitchd.service has been scheduled, as the result for
-- the configured Restart= setting for the unit.
Jul 22 23:16:12 hp-dl380g10-04.rhts.eng.pek2.redhat.com systemd[1]: Stopped Open vSwitch Forwardin>
-- Subject: Unit ovs-vswitchd.service has finished shutting down
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
-- 
-- Unit ovs-vswitchd.service has finished shutting down.
Jul 22 23:16:12 hp-dl380g10-04.rhts.eng.pek2.redhat.com systemd[1]: ovs-vswitchd.service: Start re>
Jul 22 23:16:12 hp-dl380g10-04.rhts.eng.pek2.redhat.com systemd[1]: ovs-vswitchd.service: Failed w>
Jul 22 23:16:12 hp-dl380g10-04.rhts.eng.pek2.redhat.com systemd[1]: Failed to start Open vSwitch F>
-- Subject: Unit ovs-vswitchd.service has failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
-- 
-- Unit ovs-vswitchd.service has failed.
-- 
-- The result is RESULT.



Expected results:


Additional info:
no issue if setenforce 0
[root@hp-dl380g10-04 images]# setenforce 0
[root@hp-dl380g10-04 images]# systemctl restart openvswitch

Comment 2 haidong li 2019-08-01 03:00:21 UTC
Created attachment 1596850 [details]
audit.log

It still fails with the -18 version.I have pasted the audit.log,please check it.
[root@dell-per730-42 ~]# rpm -qa | grep openvswitch
openvswitch2.11-2.11.0-18.el7fdp.x86_64
openvswitch-selinux-extra-policy-1.0-18.el8fdp.noarch
[root@dell-per730-42 ~]# 
[root@dell-per730-42 ~]# getenforce 
Enforcing
[root@dell-per730-42 ~]# systemctl start openvswitch
A dependency job for openvswitch.service failed. See 'journalctl -xe' for details.
[root@dell-per730-42 ~]# journalctl -xe
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
-- 
-- Unit ovs-delete-transient-ports.service has failed.
-- 
-- The result is RESULT.
Jul 31 22:48:09 dell-per730-42.rhts.eng.pek2.redhat.com restraintd[6079]: *** Current Time: Wed Jul 31 22:48:09 2019 Localwatchdog at:  * Disabled! *
Jul 31 22:49:09 dell-per730-42.rhts.eng.pek2.redhat.com restraintd[6079]: *** Current Time: Wed Jul 31 22:49:09 2019 Localwatchdog at:  * Disabled! *
Jul 31 22:50:09 dell-per730-42.rhts.eng.pek2.redhat.com restraintd[6079]: *** Current Time: Wed Jul 31 22:50:09 2019 Localwatchdog at:  * Disabled! *
Jul 31 22:50:46 dell-per730-42.rhts.eng.pek2.redhat.com systemd[1]: Starting Cleanup of Temporary Directories...
-- Subject: Unit systemd-tmpfiles-clean.service has begun start-up
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
-- 
-- Unit systemd-tmpfiles-clean.service has begun starting up.
Jul 31 22:50:46 dell-per730-42.rhts.eng.pek2.redhat.com systemd-tmpfiles[22204]: [/usr/lib/tmpfiles.d/radvd.conf:1] Line references path below legacy direc>
Jul 31 22:50:46 dell-per730-42.rhts.eng.pek2.redhat.com systemd-tmpfiles[22204]: [/usr/lib/tmpfiles.d/subscription-manager.conf:1] Line references path bel>
Jul 31 22:50:46 dell-per730-42.rhts.eng.pek2.redhat.com systemd[1]: Started Cleanup of Temporary Directories.
-- Subject: Unit systemd-tmpfiles-clean.service has finished start-up
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
-- 
-- Unit systemd-tmpfiles-clean.service has finished starting up.
-- 
-- The start-up result is RESULT.
Jul 31 22:51:09 dell-per730-42.rhts.eng.pek2.redhat.com restraintd[6079]: *** Current Time: Wed Jul 31 22:51:09 2019 Localwatchdog at:  * Disabled! *
Jul 31 22:51:09 dell-per730-42.rhts.eng.pek2.redhat.com systemd[1]: Starting SSSD Kerberos Cache Manager...
-- Subject: Unit sssd-kcm.service has begun start-up
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
-- 
-- Unit sssd-kcm.service has begun starting up.
Jul 31 22:51:09 dell-per730-42.rhts.eng.pek2.redhat.com systemd[1]: Started SSSD Kerberos Cache Manager.
-- Subject: Unit sssd-kcm.service has finished start-up
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
-- 
-- Unit sssd-kcm.service has finished starting up.
-- 
-- The start-up result is RESULT.
Jul 31 22:51:09 dell-per730-42.rhts.eng.pek2.redhat.com sssd[kcm][22222]: Starting up
[root@dell-per730-42 ~]#

Comment 3 Aaron Conole 2019-08-01 15:36:25 UTC
Comment on attachment 1596850 [details]
audit.log

The log doesn't show any AVC denials.  How do you determine this is an OVS selinux issue?

Comment 4 haidong li 2019-08-02 07:01:01 UTC
Hi, I found in comment2 I used wrong ovs package,very sorry for that.I have tried again,and no issue for the -18 selinux version.The issue is only on -16 version. 
[root@dell-per730-42 ~]# getenforce 
Enforcing
[root@dell-per730-42 ~]# rpm -qa | grep openvswitch
[root@dell-per730-42 ~]# rpm -ivh openvswitch-selinux-extra-policy-1.0-18.el8fdp.noarch.rpm
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:openvswitch-selinux-extra-policy-################################# [100%]
[root@dell-per730-42 ~]# rpm -ivh openvswitch2.11-2.11.0-18.el8fdp.x86_64.rpm
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:openvswitch2.11-2.11.0-18.el8fdp ################################# [100%]
[root@dell-per730-42 ~]# systemctl start openvswitch
[root@dell-per730-42 ~]# 
[root@dell-per730-42 ~]# rpm -qa | grep openvswitch
openvswitch-selinux-extra-policy-1.0-18.el8fdp.noarch
openvswitch2.11-2.11.0-18.el8fdp.x86_64
[root@dell-per730-42 ~]#


Issue found on -16 version:
[root@dell-per730-42 ~]# rpm -ivh openvswitch-selinux-extra-policy-1.0-16.el8fdp.noarch.rpm
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:openvswitch-selinux-extra-policy-################################# [100%]
[root@dell-per730-42 ~]# ll
total 12452
-rw-------. 1 root root    19497 Aug  2 02:53 anaconda-ks.cfg
-rw-r--r--. 1 root root        4 Aug  2 02:52 NETBOOT_METHOD.TXT
-rw-r--r--. 1 root root 12681052 Jul 18 10:28 openvswitch2.11-2.11.0-18.el8fdp.x86_64.rpm
-rw-r--r--. 1 root root    14052 Jun 14 11:04 openvswitch-selinux-extra-policy-1.0-16.el8fdp.noarch.rpm
-rw-------. 1 root root    20927 Aug  2 02:53 original-ks.cfg
-rw-r--r--. 1 root root        8 Aug  2 02:52 RECIPE.TXT
[root@dell-per730-42 ~]# rpm -ivh openvswitch2.11-2.11.0-18.el8fdp.x86_64.rpm 
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:openvswitch2.11-2.11.0-18.el8fdp ################################# [100%]
[root@dell-per730-42 ~]# systemctl start openvswitch
A dependency job for openvswitch.service failed. See 'journalctl -xe' for details.
[root@dell-per730-42 ~]#


Note You need to log in before you can comment on or make changes to this bug.