Switching the component to openswitch to be assessed and possibly addressed there - I am not completely sure about the openvswitch-selinux-extra-policy status.

Do you think these permissions requests are reasonable?
For those which are, should they be a part of openvswitch-selinux-extra-policy or selinux-policy?

Please ignore the lldpad-related denials.

I see the following block, which appears related:

type=AVC msg=audit(1644857302.735:2071): avc:  denied  { write } for  pid=7057 comm="ovs-monitor-ips" name="ipsec.conf" dev="vda10" ino=1786537 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ipsec_conf_file_t:s0 tclass=file permissive=0

The OVS selinux policy is supposed to add:

allow openvswitch_t ipsec_conf_file_t:file { getattr ioctl open read write };

Which would allow this action. Can you confirm which version of openvswitch-selinux-extra-policy is installed?

I can see openvswitch-selinux-extra-policy-1.0-30.el9s.noarch on the host.

Thank you for that.

I installed the 1.0.30 rpm on RHEL9 and confirmed that it wasn't working, I got the following error when trying to load it:

# semodule -i  /usr/share/selinux/packages/openvswitch-custom.pp
Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/400/openvswitch-custom/cil:74
Failed to resolve AST
semodule:  Failed!

I then compiled 1.0.30 from source code myself and it seemed to work fine. Finally, I tried the most recent release, which is 1.0.31, and it also worked.

For now, I recommend upgrading to 1.0.31, which can be downloaded from here: http://download.eng.bos.redhat.com/brewroot/vol/rhel-9/packages/openvswitch-selinux-extra-policy/1.0/31.el9fdp/noarch/openvswitch-selinux-extra-policy-1.0-31.el9fdp.noarch.rpm

I'll look into why the 1.0.30 package had this issue.

*** This bug has been marked as a duplicate of bug 2042911 ***