2102567 – ovs-appctl selinux denials in ovirt-engine-4.5.0.7-0.9.el8ev

The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 2102567 - ovs-appctl selinux denials in ovirt-engine-4.5.0.7-0.9.el8ev

Summary: ovs-appctl selinux denials in ovirt-engine-4.5.0.7-0.9.el8ev

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux Fast Datapath
Classification:	Red Hat
Component:	openvswitch-selinux-extra-policy
Sub Component:
Version:	FDP 22.D
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Aaron Conole
QA Contact:	Jean-Tsung Hsiao
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2100965
TreeView+	depends on / blocked

Reported:	2022-06-30 08:32 UTC by Martin Perina
Modified:	2023-03-16 10:24 UTC (History)
CC List:	10 users (show)
Fixed In Version:	openvswitch-selinux-extra-policy-1.0-30.el8fdp
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	2100965
Environment:
Last Closed:	2023-03-16 10:24:40 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FD-2070	0	None	None	None	2022-06-30 08:36:10 UTC
Red Hat Product Errata	RHBA-2023:1291	0	None	None	None	2023-03-16 10:24:43 UTC

Description Martin Perina 2022-06-30 08:32:42 UTC

+++ This bug was initially created as a clone of Bug #2100965 +++

Following our recent upgrade to ovirt-engine-4.5.0.7-0.9.el8ev and subsequent reboot of our self-hosted engine VM, we began noticing the following selinux denials in the logs:

Jun  3 03:27:04 cs-hcim ovs-appctl[162049]: ovs|00001|unixctl|WARN|failed to connect to /var/run/ovn/ovnnb_db.ctl
Jun  3 03:27:04 cs-hcim ovs-appctl[162050]: ovs|00001|unixctl|WARN|failed to connect to /var/run/ovn/ovn-northd.1186.ctl
Jun  3 03:27:04 cs-hcim ovs-appctl[162051]: ovs|00001|unixctl|WARN|failed to connect to /var/run/ovn/ovnsb_db.ctl
Jun  3 03:27:07 cs-hcim setroubleshoot[162053]: SELinux is preventing /usr/bin/ovs-appctl from write access on the sock_file ovnnb_db.ctl. For complete SELinux messages run: sealert -l 7c35e71f-4bcd-4460-91e4-5bacfe20e8d1
Jun  3 03:27:09 cs-hcim setroubleshoot[162053]: SELinux is preventing /usr/bin/ovs-appctl from write access on the sock_file ovn-northd.1186.ctl. For complete SELinux messages run: sealert -l 7c35e71f-4bcd-4460-91e4-5bacfe20e8d1
Jun  3 03:27:23 cs-hcim setroubleshoot[162106]: SELinux is preventing /usr/bin/ovs-appctl from write access on the sock_file ovnsb_db.ctl. For complete SELinux messages run: sealert -l 7c35e71f-4bcd-4460-91e4-5bacfe20e8d1

[root@cs-hcim ~]# sealert -l 7c35e71f-4bcd-4460-91e4-5bacfe20e8d1
SELinux is preventing /usr/bin/ovs-appctl from write access on the sock_file ovnsb_db.ctl.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that ovs-appctl should be allowed write access on the ovnsb_db.ctl sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ovs-appctl' --raw | audit2allow -M my-ovsappctl
# semodule -X 300 -i my-ovsappctl.pp


Additional Information:
Source Context                system_u:system_r:openvswitch_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_run_t:s0
Target Objects                ovnsb_db.ctl [ sock_file ]
Source                        ovs-appctl
Source Path                   /usr/bin/ovs-appctl
Port                          <Unknown>
Host                          cs-hcim.bu.edu
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.3-95.el8.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-95.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     cs-hcim.bu.edu
Platform                      Linux cs-hcim.bu.edu 4.18.0-372.9.1.el8.x86_64 #1
                              SMP Fri Apr 15 22:12:19 EDT 2022 x86_64 x86_64
Alert Count                   6
First Seen                    2022-06-02 03:36:05 EDT
Last Seen                     2022-06-03 03:27:04 EDT
Local ID                      7c35e71f-4bcd-4460-91e4-5bacfe20e8d1

Raw Audit Messages
type=AVC msg=audit(1654241224.946:1422): avc:  denied  { write } for  pid=162051 comm="ovs-appctl" name="ovnsb_db.ctl" dev="tmpfs" ino=29851 scontext=system_u:system_r:openvswitch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0


Hash: ovs-appctl,openvswitch_t,var_run_t,sock_file,write

All of the target files mentioned appear to reside in /run/ovn:

[root@cs-hcim ~]# ls -lZ /run/ovn/
total 12
srwxr-x---. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 0 May 31 12:16 ovn-northd.1186.ctl
-rw-r--r--. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 5 May 31 12:16 ovn-northd.pid
srwxr-x---. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 0 May 31 12:16 ovnnb_db.ctl
-rw-r--r--. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 5 May 31 12:16 ovnnb_db.pid
srwxr-x---. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 0 May 31 12:16 ovnnb_db.sock
srwxr-x---. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 0 May 31 12:16 ovnsb_db.ctl
-rw-r--r--. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 5 May 31 12:16 ovnsb_db.pid
srwxr-x---. 1 openvswitch openvswitch system_u:object_r:var_run_t:s0 0 May 31 12:16 ovnsb_db.sock

No effect from restorecon:

[root@cs-hcim ~]# restorecon -rv /run/ovn/
[root@cs-hcim ~]# 

This suggests there is a bug in the selinux policy.

Versions and last update time of related packages:

[root@cs-hcim ~]# rpm -qa --last | grep "openvswitch\|selinux-policy" 
ovirt-openvswitch-ovn-central-2.15-3.el8ev.noarch Tue 31 May 2022 12:05:48 PM EDT
python3-openvswitch2.15-2.15.0-99.el8fdp.x86_64 Tue 31 May 2022 12:05:47 PM EDT
ovirt-python-openvswitch-2.15-3.el8ev.noarch  Tue 31 May 2022 12:05:47 PM EDT
ovirt-openvswitch-ovn-common-2.15-3.el8ev.noarch Tue 31 May 2022 12:05:47 PM EDT
ovirt-openvswitch-2.15-3.el8ev.noarch         Tue 31 May 2022 12:05:47 PM EDT
openvswitch2.15-2.15.0-99.el8fdp.x86_64       Tue 31 May 2022 12:05:47 PM EDT
ovirt-openvswitch-ovn-2.15-3.el8ev.noarch     Tue 31 May 2022 12:05:45 PM EDT
selinux-policy-targeted-3.14.3-95.el8.noarch  Thu 12 May 2022 08:57:03 AM EDT
selinux-policy-3.14.3-95.el8.noarch           Thu 12 May 2022 08:56:44 AM EDT
openvswitch-selinux-extra-policy-1.0-29.el8fdp.noarch Wed 16 Mar 2022 12:07:54 PM EDT


Additional info:

The following commands have been run in order to mitigate the messages at this time and were run successfully:

# ausearch -c 'ovs-appctl' --raw | audit2allow -M my-ovsappctl
# semodule -X 300 -i my-ovsappctl.pp

Comment 21 errata-xmlrpc 2023-03-16 10:24:40 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (openvswitch-selinux-extra-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:1291

Note You need to log in before you can comment on or make changes to this bug.