logrotate postrotate script uses ovs-appctl, causing a selinux issue https://github.com/ovn-org/ovn/blob/main/rhel/etc_logrotate.d_ovn#L18 type=AVC msg=audit(1691657680.741:180): avc: denied { write } for pid=2451 comm="ovs-appctl" name="ovn-controller.1646.ctl" dev="tmpfs" ino=1006 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0 ovn-appctl could be used instead Reproducible: Always Steps to Reproduce: 1- start ovn-controller 2- keep it running for a day 3- lsof on the ovn-controller Actual Results: ovn-controller references a deleted file ovn-controller.log file is empty above AVC is logged Expected Results: ovn-controllers should write logs into the new ovn-controller.log file observed on rawhide and centos s9 selinux issue can also be reproduced with systemd-run --unit foo --uid openvswitch --collect -- ovs-appctl -t /var/run/ovn/ovn-controller.1646.ctl vlog/reopen vs working: systemd-run --unit bar --uid openvswitch --collect -- ovn-appctl -t /var/run/ovn/ovn-controller.1646.ctl vlog/reopen
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle. Changing version to 39.