Bug 845417 - Add SELinux policy for openvswitch daemons
Add SELinux policy for openvswitch daemons
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
high Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Michal Trunecka
Depends On: 805652
  Show dependency treegraph
Reported: 2012-08-02 23:07 EDT by Cong Wang
Modified: 2014-09-30 19:33 EDT (History)
6 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-175.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-02-21 03:27:29 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Cong Wang 2012-08-02 23:07:14 EDT
Description of problem:

Openvswitch service starts the following daemons:

    * ovs-vswitchd, a daemon that implements the switch, along with 
      a companion Linux kernel module for flow-based switching.

    * ovsdb-server, a lightweight database server that ovs-vswitchd
      queries to obtain its configuration.

    * ovs-brcompatd, a daemon that allows ovs-vswitchd to act as a
      drop-in replacement for the Linux bridge in many environments, 
      along with a companion Linux kernel module to intercept bridge 

All of them need policy.

Additional info:

See also "Overview of functionality and components":

Comment 2 Milos Malik 2012-08-03 04:16:11 EDT
Are the daemons you talk about related to quantum-openswitch-agent service ?

# rpm -qa selinux-policy\*
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
# service quantum-openvswitch-agent status
quantum-openvswitch-agent is stopped
# service quantum-openvswitch-agent start
Starting quantum-openvswitch-agent:                        [  OK  ]
# service quantum-openvswitch-agent status
quantum-openvswitch-agent (pid  2199) is running...
# ps -efZ | grep switch
unconfined_u:system_r:quantum_t:s0 quantum 2199    1  5 10:09 ?        00:00:00 python /usr/bin/quantum-openvswitch-agent /etc/quantum/plugins/openvswitch/ovs_quantum_plugin.ini
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2225 2045  0 10:09 pts/0 00:00:00 grep switch
# service quantum-openvswitch-agent stop
Stopping quantum-openvswitch-agent:                        [  OK  ]
# service quantum-openvswitch-agent status
quantum-openvswitch-agent is stopped
Comment 3 Miroslav Grepl 2012-08-03 04:26:37 EDT
We have this policy in RHEL7/Fedora.

quantum.fc:/usr/bin/quantum-openvswitch-agent	--	gen_context(system_u:object_r:quantum_exec_t,s0)
Comment 4 Cong Wang 2012-08-03 04:39:16 EDT
It looks like quantum-openvswitch-agent is a quantum plugin for openvswitch? I am not a virt people, so know very little about openstack.
Comment 5 Michal Trunecka 2012-09-21 04:00:14 EDT
Cong, is there any openvswitch RPM available to install on RHEL6 or is it recommended to be installed from tar.gz?
Comment 6 Cong Wang 2012-09-21 04:25:23 EDT
RPM package is not available yet, you need to build it from spec file. You can find it here:

Comment 8 Miroslav Grepl 2012-10-15 14:26:55 EDT
Is already the package available from brew?
Comment 9 Cong Wang 2012-10-15 22:19:07 EDT
Try the RPM from Thomas:
Comment 10 Miroslav Grepl 2012-10-23 07:07:55 EDT
I added an intial openvswitch policy to selinux-policy-3.7.19-175.el6

How to test.

1. install these builds
2. semodule -d unconfined
3. setenforce 0
4. re-test it
5. ausearch -m avc > /tmp/openvswitch.log

and attach this log. Thank you.

6. semodule -e unconfined
7. setenforce 1
Comment 14 errata-xmlrpc 2013-02-21 03:27:29 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.