2100965 – [BLOCKED BY BZ2081636 and backport RHEL 8.6.z EUS] ovs-appctl selinux denials in ovirt-engine-4.5.0.7-0.9.el8ev

Bug 2100965 - [BLOCKED BY BZ2081636 and backport RHEL 8.6.z EUS] ovs-appctl selinux denials in ovirt-engine-4.5.0.7-0.9.el8ev

Summary: [BLOCKED BY BZ2081636 and backport RHEL 8.6.z EUS] ovs-appctl selinux denials...

Keywords:
Status:	CLOSED DEFERRED
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	rhv-security
Sub Component:
Version:	4.4.9
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	eraviv
QA Contact:	msheena
Docs Contact:
URL:
Whiteboard:
Depends On:	2081636 2102567
Blocks:
TreeView+	depends on / blocked

Reported:	2022-06-24 19:39 UTC by Robert McSwain
Modified:	2024-09-13 07:37 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Clones:	2102567 (view as bug list)
Environment:
Last Closed:	2023-07-17 07:47:48 UTC
oVirt Team:	Network
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHV-46499	0	None	None	None	2022-06-24 19:42:22 UTC

Description Robert McSwain 2022-06-24 19:39:35 UTC

Following our recent upgrade to ovirt-engine-4.5.0.7-0.9.el8ev and subsequent reboot of our self-hosted engine VM, we began noticing the following selinux denials in the logs:

Jun  3 03:27:04 cs-hcim ovs-appctl[162049]: ovs|00001|unixctl|WARN|failed to connect to /var/run/ovn/ovnnb_db.ctl
Jun  3 03:27:04 cs-hcim ovs-appctl[162050]: ovs|00001|unixctl|WARN|failed to connect to /var/run/ovn/ovn-northd.1186.ctl
Jun  3 03:27:04 cs-hcim ovs-appctl[162051]: ovs|00001|unixctl|WARN|failed to connect to /var/run/ovn/ovnsb_db.ctl
Jun  3 03:27:07 cs-hcim setroubleshoot[162053]: SELinux is preventing /usr/bin/ovs-appctl from write access on the sock_file ovnnb_db.ctl. For complete SELinux messages run: sealert -l 7c35e71f-4bcd-4460-91e4-5bacfe20e8d1
Jun  3 03:27:09 cs-hcim setroubleshoot[162053]: SELinux is preventing /usr/bin/ovs-appctl from write access on the sock_file ovn-northd.1186.ctl. For complete SELinux messages run: sealert -l 7c35e71f-4bcd-4460-91e4-5bacfe20e8d1
Jun  3 03:27:23 cs-hcim setroubleshoot[162106]: SELinux is preventing /usr/bin/ovs-appctl from write access on the sock_file ovnsb_db.ctl. For complete SELinux messages run: sealert -l 7c35e71f-4bcd-4460-91e4-5bacfe20e8d1

[root@cs-hcim ~]# sealert -l 7c35e71f-4bcd-4460-91e4-5bacfe20e8d1
SELinux is preventing /usr/bin/ovs-appctl from write access on the sock_file ovnsb_db.ctl.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that ovs-appctl should be allowed write access on the ovnsb_db.ctl sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ovs-appctl' --raw | audit2allow -M my-ovsappctl
# semodule -X 300 -i my-ovsappctl.pp


Additional Information:
Source Context                system_u:system_r:openvswitch_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_run_t:s0
Target Objects                ovnsb_db.ctl [ sock_file ]
Source                        ovs-appctl
Source Path                   /usr/bin/ovs-appctl
Port                          <Unknown>
Host                          cs-hcim.bu.edu
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.3-95.el8.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-95.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     cs-hcim.bu.edu
Platform                      Linux cs-hcim.bu.edu 4.18.0-372.9.1.el8.x86_64 #1
                              SMP Fri Apr 15 22:12:19 EDT 2022 x86_64 x86_64
Alert Count                   6
First Seen                    2022-06-02 03:36:05 EDT
Last Seen                     2022-06-03 03:27:04 EDT
Local ID                      7c35e71f-4bcd-4460-91e4-5bacfe20e8d1

Raw Audit Messages
type=AVC msg=audit(1654241224.946:1422): avc:  denied  { write } for  pid=162051 comm="ovs-appctl" name="ovnsb_db.ctl" dev="tmpfs" ino=29851 scontext=system_u:system_r:openvswitch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0


Hash: ovs-appctl,openvswitch_t,var_run_t,sock_file,write

All of the target files mentioned appear to reside in /run/ovn:

[root@cs-hcim ~]# ls -lZ /run/ovn/
total 12
srwxr-x---. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 0 May 31 12:16 ovn-northd.1186.ctl
-rw-r--r--. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 5 May 31 12:16 ovn-northd.pid
srwxr-x---. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 0 May 31 12:16 ovnnb_db.ctl
-rw-r--r--. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 5 May 31 12:16 ovnnb_db.pid
srwxr-x---. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 0 May 31 12:16 ovnnb_db.sock
srwxr-x---. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 0 May 31 12:16 ovnsb_db.ctl
-rw-r--r--. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 5 May 31 12:16 ovnsb_db.pid
srwxr-x---. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 0 May 31 12:16 ovnsb_db.sock

No effect from restorecon:

[root@cs-hcim ~]# restorecon -rv /run/ovn/
[root@cs-hcim ~]# 

This suggests there is a bug in the selinux policy.

Versions and last update time of related packages:

[root@cs-hcim ~]# rpm -qa --last | grep "openvswitch\|selinux-policy" 
ovirt-openvswitch-ovn-central-2.15-3.el8ev.noarch Tue 31 May 2022 12:05:48 PM EDT
python3-openvswitch2.15-2.15.0-99.el8fdp.x86_64 Tue 31 May 2022 12:05:47 PM EDT
ovirt-python-openvswitch-2.15-3.el8ev.noarch  Tue 31 May 2022 12:05:47 PM EDT
ovirt-openvswitch-ovn-common-2.15-3.el8ev.noarch Tue 31 May 2022 12:05:47 PM EDT
ovirt-openvswitch-2.15-3.el8ev.noarch         Tue 31 May 2022 12:05:47 PM EDT
openvswitch2.15-2.15.0-99.el8fdp.x86_64       Tue 31 May 2022 12:05:47 PM EDT
ovirt-openvswitch-ovn-2.15-3.el8ev.noarch     Tue 31 May 2022 12:05:45 PM EDT
selinux-policy-targeted-3.14.3-95.el8.noarch  Thu 12 May 2022 08:57:03 AM EDT
selinux-policy-3.14.3-95.el8.noarch           Thu 12 May 2022 08:56:44 AM EDT
openvswitch-selinux-extra-policy-1.0-29.el8fdp.noarch Wed 16 Mar 2022 12:07:54 PM EDT


Additional info:

The following commands have been run in order to mitigate the messages at this time and were run successfully:

# ausearch -c 'ovs-appctl' --raw | audit2allow -M my-ovsappctl
# semodule -X 300 -i my-ovsappctl.pp

Comment 3 msheena 2023-01-08 09:44:34 UTC

Tested on
=========
ovirt-engine-4.5.3.4-1.el8ev.noarch (hosted engine deployment)
openvswitch-selinux-extra-policy-1.0-30.el8fdp.noarch

Reason for failure
==================
Same log messages described in the description were found on journalctl output

ovs|00001|unixctl|WARN|failed to connect to /var/run/ovn/ovn-northd.1130.ctl
ovs|00001|unixctl|WARN|failed to connect to /var/run/ovn/ovnsb_db.ctl

SELinux is preventing /usr/bin/ovs-appctl from write access on the sock_file ovnnb_db.ctl. For complete SELinux messages run: ...

Comment 5 Martin Perina 2023-07-17 07:47:48 UTC

There are no confirmed issues affecting RHV functionality around those selinux denials, so deferring due to lack of resources.

Note You need to log in before you can comment on or make changes to this bug.