Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 2102567

Summary: ovs-appctl selinux denials in ovirt-engine-4.5.0.7-0.9.el8ev
Product: Red Hat Enterprise Linux Fast Datapath Reporter: Martin Perina <mperina>
Component: openvswitch-selinux-extra-policyAssignee: Aaron Conole <aconole>
Status: CLOSED ERRATA QA Contact: Jean-Tsung Hsiao <jhsiao>
Severity: high Docs Contact:
Priority: high    
Version: FDP 22.DCC: aconole, amusil, ctrautma, eraviv, mburman, mperina, msheena, paulds, qding, rmcswain
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: openvswitch-selinux-extra-policy-1.0-30.el8fdp Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2100965 Environment:
Last Closed: 2023-03-16 10:24:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2100965    

Description Martin Perina 2022-06-30 08:32:42 UTC
+++ This bug was initially created as a clone of Bug #2100965 +++

Following our recent upgrade to ovirt-engine-4.5.0.7-0.9.el8ev and subsequent reboot of our self-hosted engine VM, we began noticing the following selinux denials in the logs:

Jun  3 03:27:04 cs-hcim ovs-appctl[162049]: ovs|00001|unixctl|WARN|failed to connect to /var/run/ovn/ovnnb_db.ctl
Jun  3 03:27:04 cs-hcim ovs-appctl[162050]: ovs|00001|unixctl|WARN|failed to connect to /var/run/ovn/ovn-northd.1186.ctl
Jun  3 03:27:04 cs-hcim ovs-appctl[162051]: ovs|00001|unixctl|WARN|failed to connect to /var/run/ovn/ovnsb_db.ctl
Jun  3 03:27:07 cs-hcim setroubleshoot[162053]: SELinux is preventing /usr/bin/ovs-appctl from write access on the sock_file ovnnb_db.ctl. For complete SELinux messages run: sealert -l 7c35e71f-4bcd-4460-91e4-5bacfe20e8d1
Jun  3 03:27:09 cs-hcim setroubleshoot[162053]: SELinux is preventing /usr/bin/ovs-appctl from write access on the sock_file ovn-northd.1186.ctl. For complete SELinux messages run: sealert -l 7c35e71f-4bcd-4460-91e4-5bacfe20e8d1
Jun  3 03:27:23 cs-hcim setroubleshoot[162106]: SELinux is preventing /usr/bin/ovs-appctl from write access on the sock_file ovnsb_db.ctl. For complete SELinux messages run: sealert -l 7c35e71f-4bcd-4460-91e4-5bacfe20e8d1

[root@cs-hcim ~]# sealert -l 7c35e71f-4bcd-4460-91e4-5bacfe20e8d1
SELinux is preventing /usr/bin/ovs-appctl from write access on the sock_file ovnsb_db.ctl.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that ovs-appctl should be allowed write access on the ovnsb_db.ctl sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ovs-appctl' --raw | audit2allow -M my-ovsappctl
# semodule -X 300 -i my-ovsappctl.pp


Additional Information:
Source Context                system_u:system_r:openvswitch_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_run_t:s0
Target Objects                ovnsb_db.ctl [ sock_file ]
Source                        ovs-appctl
Source Path                   /usr/bin/ovs-appctl
Port                          <Unknown>
Host                          cs-hcim.bu.edu
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.3-95.el8.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-95.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     cs-hcim.bu.edu
Platform                      Linux cs-hcim.bu.edu 4.18.0-372.9.1.el8.x86_64 #1
                              SMP Fri Apr 15 22:12:19 EDT 2022 x86_64 x86_64
Alert Count                   6
First Seen                    2022-06-02 03:36:05 EDT
Last Seen                     2022-06-03 03:27:04 EDT
Local ID                      7c35e71f-4bcd-4460-91e4-5bacfe20e8d1

Raw Audit Messages
type=AVC msg=audit(1654241224.946:1422): avc:  denied  { write } for  pid=162051 comm="ovs-appctl" name="ovnsb_db.ctl" dev="tmpfs" ino=29851 scontext=system_u:system_r:openvswitch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0


Hash: ovs-appctl,openvswitch_t,var_run_t,sock_file,write

All of the target files mentioned appear to reside in /run/ovn:

[root@cs-hcim ~]# ls -lZ /run/ovn/
total 12
srwxr-x---. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 0 May 31 12:16 ovn-northd.1186.ctl
-rw-r--r--. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 5 May 31 12:16 ovn-northd.pid
srwxr-x---. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 0 May 31 12:16 ovnnb_db.ctl
-rw-r--r--. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 5 May 31 12:16 ovnnb_db.pid
srwxr-x---. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 0 May 31 12:16 ovnnb_db.sock
srwxr-x---. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 0 May 31 12:16 ovnsb_db.ctl
-rw-r--r--. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 5 May 31 12:16 ovnsb_db.pid
srwxr-x---. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 0 May 31 12:16 ovnsb_db.sock

No effect from restorecon:

[root@cs-hcim ~]# restorecon -rv /run/ovn/
[root@cs-hcim ~]# 

This suggests there is a bug in the selinux policy.

Versions and last update time of related packages:

[root@cs-hcim ~]# rpm -qa --last | grep "openvswitch\|selinux-policy" 
ovirt-openvswitch-ovn-central-2.15-3.el8ev.noarch Tue 31 May 2022 12:05:48 PM EDT
python3-openvswitch2.15-2.15.0-99.el8fdp.x86_64 Tue 31 May 2022 12:05:47 PM EDT
ovirt-python-openvswitch-2.15-3.el8ev.noarch  Tue 31 May 2022 12:05:47 PM EDT
ovirt-openvswitch-ovn-common-2.15-3.el8ev.noarch Tue 31 May 2022 12:05:47 PM EDT
ovirt-openvswitch-2.15-3.el8ev.noarch         Tue 31 May 2022 12:05:47 PM EDT
openvswitch2.15-2.15.0-99.el8fdp.x86_64       Tue 31 May 2022 12:05:47 PM EDT
ovirt-openvswitch-ovn-2.15-3.el8ev.noarch     Tue 31 May 2022 12:05:45 PM EDT
selinux-policy-targeted-3.14.3-95.el8.noarch  Thu 12 May 2022 08:57:03 AM EDT
selinux-policy-3.14.3-95.el8.noarch           Thu 12 May 2022 08:56:44 AM EDT
openvswitch-selinux-extra-policy-1.0-29.el8fdp.noarch Wed 16 Mar 2022 12:07:54 PM EDT


Additional info:

The following commands have been run in order to mitigate the messages at this time and were run successfully:

# ausearch -c 'ovs-appctl' --raw | audit2allow -M my-ovsappctl
# semodule -X 300 -i my-ovsappctl.pp

Comment 21 errata-xmlrpc 2023-03-16 10:24:40 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (openvswitch-selinux-extra-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:1291