Description of problem: See below for the context set for /var/run/openvswitch, DPDK installation is failing with avc denied. type=AVC msg=audit(1573651690.514:4640): avc: denied { create } for pid=34421 comm="ovs-vswitchd" name="dpdk" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=1 [root@overcloud-computeovsdpdksriov-1 ~]# ll -Z /var/run/openvswitch total 8 srwxr-x---. 1 openvswitch hugetlbfs system_u:object_r:container_file_t:s0 0 Nov 13 11:37 br-tenant.mgmt srwxr-x---. 1 openvswitch hugetlbfs system_u:object_r:container_file_t:s0 0 Nov 13 11:37 br-tenant.snoop srwxr-x---. 1 openvswitch hugetlbfs system_u:object_r:container_file_t:s0 0 Nov 13 11:54 db.sock srwxr-x---. 1 openvswitch hugetlbfs system_u:object_r:container_file_t:s0 0 Nov 13 11:54 ovsdb-server.17771.ctl -rw-r--r--. 1 openvswitch hugetlbfs system_u:object_r:container_file_t:s0 6 Nov 13 11:54 ovsdb-server.pid srwxr-x---. 1 openvswitch hugetlbfs system_u:object_r:container_file_t:s0 0 Nov 13 11:54 ovs-vswitchd.17830.ctl srwxr-x---. 1 openvswitch hugetlbfs system_u:object_r:container_file_t:s0 0 Nov 13 11:54 ovs-vswitchd.17881.ctl srwxr-x---. 1 openvswitch hugetlbfs system_u:object_r:container_file_t:s0 0 Nov 13 11:54 ovs-vswitchd.17931.ctl srwxr-x---. 1 openvswitch hugetlbfs system_u:object_r:container_file_t:s0 0 Nov 13 11:54 ovs-vswitchd.17981.ctl srwxr-x---. 1 openvswitch hugetlbfs system_u:object_r:container_file_t:s0 0 Nov 13 11:54 ovs-vswitchd.18030.ctl srwxr-x---. 1 openvswitch hugetlbfs system_u:object_r:container_file_t:s0 0 Nov 13 13:08 ovs-vswitchd.18322.ctl srwxr-x---. 1 openvswitch hugetlbfs system_u:object_r:container_file_t:s0 0 Nov 13 13:08 ovs-vswitchd.18374.ctl srwxr-x---. 1 openvswitch hugetlbfs system_u:object_r:container_file_t:s0 0 Nov 13 13:08 ovs-vswitchd.18424.ctl srwxr-x---. 1 openvswitch hugetlbfs system_u:object_r:container_file_t:s0 0 Nov 13 13:08 ovs-vswitchd.18474.ctl srwxr-x---. 1 openvswitch hugetlbfs system_u:object_r:container_file_t:s0 0 Nov 13 13:08 ovs-vswitchd.18523.ctl srwxr-x---. 1 openvswitch hugetlbfs system_u:object_r:container_file_t:s0 0 Nov 13 13:14 ovs-vswitchd.19072.ctl srwxr-x---. 1 openvswitch hugetlbfs system_u:object_r:container_file_t:s0 0 Nov 13 13:14 ovs-vswitchd.19124.ctl srwxr-x---. 1 openvswitch hugetlbfs system_u:object_r:container_file_t:s0 0 Nov 13 13:14 ovs-vswitchd.19176.ctl srwxr-x---. 1 openvswitch hugetlbfs system_u:object_r:container_file_t:s0 0 Nov 13 13:14 ovs-vswitchd.19227.ctl srwxr-x---. 1 openvswitch hugetlbfs system_u:object_r:container_file_t:s0 0 Nov 13 13:14 ovs-vswitchd.19278.ctl srwxr-x---. 1 openvswitch hugetlbfs system_u:object_r:container_file_t:s0 0 Nov 13 11:37 ovs-vswitchd.5063.ctl -rw-r--r--. 1 root root system_u:object_r:container_file_t:s0 41 Nov 13 11:54 useropts [root@overcloud-computeovsdpdksriov-1 ~]# ll -Z /var/run/openvswitch -d drwxr-xr-x. 2 openvswitch hugetlbfs system_u:object_r:container_file_t:s0 480 Nov 13 13:14 /var/run/openvswitch (undercloud) [stack@undercloud ~]$ cat /etc/yum.repos.d/latest-installed 16 -p RHOS_TRUNK-16.0-RHEL-8-20191112.n.1 [root@overcloud-computeovsdpdksriov-1 ~]# rpm -qa | grep openvswitch rhosp-openvswitch-2.11-0.3.el8ost.noarch network-scripts-openvswitch2.11-2.11.0-26.el8fdp.x86_64 openvswitch-selinux-extra-policy-1.0-19.el8fdp.noarch openvswitch2.11-2.11.0-26.el8fdp.x86_64 [root@overcloud-computeovsdpdksriov-1 ~]# rpm -qa | grep selinux selinux-policy-targeted-3.14.3-20.el8.noarch libselinux-ruby-2.9-2.1.el8.x86_64 python3-libselinux-2.9-2.1.el8.x86_64 libselinux-2.9-2.1.el8.x86_64 libselinux-utils-2.9-2.1.el8.x86_64 container-selinux-2.107-2.module+el8.1.0+4081+b29780af.noarch rpm-plugin-selinux-4.14.2-25.el8.x86_64 openstack-selinux-0.8.20-0.20191105125849.6578483.el8ost.noarch openvswitch-selinux-extra-policy-1.0-19.el8fdp.noarch selinux-policy-3.14.3-20.el8.noarch
SELinux context for /var/run/XXX should be set as the ovs daemons are started. Need someone from the selinux team to understand why this context is being set. Change the context back once this is understood. Neither OvS package nor ovs-selinux package set these explicitly.
Cédric, I know you helped with a number of patches to help openstack / openvswitch / containers to work well together, is this a case where we need some additional rules in openstack-selinux here? Or the context shouldn't have changed? Saravanan, would it be possible to attach the audit.log file? Were there any other related AVCs?
I am not seeing anything obvious in openstack-selinux that would change the context for /var/run/openvswitch so wondering if it may be related to something in THT.
Created attachment 1637997 [details] audit.log on compute for seliux enforcing
Hello there Soooo... that location (/var/run/openvswitch) is mounted within containers: deployment/neutron/neutron-ovs-agent-container-puppet.yaml: - /var/run/openvswitch/:/var/run/openvswitch/:shared,z The "z" flag calls a relabelling, usually in order to prevent write (and read) access from within the container. In order to sort this situation, I think that a patch in openstack-selinux might be the right thing, allowing openvswitch_t to access/write into container_file_t. I don't think this opens any major security issue, and is probably better that way than allowing container_t to do stuff in openvswitch_file_t. Does it help, Julie? Sorry for the delay, didn't see that one before. Cheers, C.
Note that we'll need to drop the ":z" flag from t-h-t as soon as we get a new package for openstack-selinux. That patch only (PR 46 against openstack-selinux) won't be sufficient. Not sure about the "shared" one, but iirc it is useless (no mount within the location). @Julie: feel free to ping me once a package is issued so that I can do the t-h-t modification+tests :).
Cédric, thanks! The patch is now included in package openstack-selinux-0.8.20-0.20191125121841.a4fcc2c.el8ost. I'm not sure whether to switch this bug to MODIFIED or if it needs to depend on or be reused for the THT fix you mention?
@Julie: well, we probably want a new BZ for t-h-t, and add the depends-on + MODIFIED for the current one. -> is there already a BZ for t-h-t on that topic, or... ? Feel free to create it and give it to me. We'd "just" need to ensure upstream CI already has that package in order to not break things.
(In reply to Cédric Jeanneret from comment #8) > @Julie: well, we probably want a new BZ for t-h-t, and add the depends-on + > MODIFIED for the current one. > -> is there already a BZ for t-h-t on that topic, or... ? Feel free to > create it and give it to me. We'd "just" need to ensure upstream CI already > has that package in order to not break things. Cloned this bug and assigned it to you as requested -> bug 1776326.
It looks like the openstack-selinux fix should be enough on its own - Saravanan, would you still have the environment and be able to confirm if the new package gets you past the issue? Thank you.
(In reply to Julie Pichon from comment #12) > It looks like the openstack-selinux fix should be enough on its own - > Saravanan, would you still have the environment and be able to confirm if > the new package gets you past the issue? Thank you. I will try to verify this package or I will check Vadim has the environment. We will update the bz after checking it.
Using this package, I did not face the permission issue. And ovs-vswitchd started succesfully with Enforcing mode. No changes done on the templates, only this new package is used.
Wonderful, thank you for checking!
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:0283