1498797 – ovsdb-server fails to start with OVS-2.8.1 with AVC denial

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1498797 - ovsdb-server fails to start with OVS-2.8.1 with AVC denial

Summary: ovsdb-server fails to start with OVS-2.8.1 with AVC denial

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	RDO
Classification:	Community
Component:	openstack-selinux
Sub Component:
Version:	trunk
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	trunk
Assignee:	Lon Hohberger
QA Contact:	Ofer Blaut
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1500122
TreeView+	depends on / blocked

Reported:	2017-10-05 09:37 UTC by Alfredo Moralejo
Modified:	2018-03-15 21:00 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1500122 (view as bug list)
Environment:
Last Closed:	2018-03-15 21:00:13 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
audit.log from permissive stop/start (21.14 KB, text/plain) 2017-10-10 15:03 UTC, Lon Hohberger	no flags	Details
View All

Description Alfredo Moralejo 2017-10-05 09:37:41 UTC

Description of problem:

When trying to start ovsdb-server using package in http://cbs.centos.org/koji/buildinfo?buildID=20048 it fails to start with following error


Oct 05 09:11:38 generic-packstack-001-1539 systemd[1]: Starting Open vSwitch Database Unit...
Oct 05 09:11:38 generic-packstack-001-1539 runuser[4880]: PAM audit_open() failed: Permission denied
Oct 05 09:11:38 generic-packstack-001-1539 ovs-ctl[4848]: runuser: System error
Oct 05 09:11:38 generic-packstack-001-1539 runuser[4882]: PAM audit_open() failed: Permission denied
Oct 05 09:11:38 generic-packstack-001-1539 ovs-ctl[4848]: runuser: System error
Oct 05 09:11:38 generic-packstack-001-1539 runuser[4884]: PAM audit_open() failed: Permission denied
Oct 05 09:11:38 generic-packstack-001-1539 ovs-ctl[4848]: runuser: System error
Oct 05 09:11:38 generic-packstack-001-1539 runuser[4888]: PAM audit_open() failed: Permission denied
Oct 05 09:11:38 generic-packstack-001-1539 ovs-ctl[4848]: runuser: System error
Oct 05 09:11:38 generic-packstack-001-1539 ovs-ctl[4848]: Backing up database to /etc/openvswitch/conf.db.backup- cp: cannot create regular file '/etc/openvswitch/conf.db.backup-': Permissio
Oct 05 09:11:38 generic-packstack-001-1539 ovs-ctl[4848]: [FAILED]
Oct 05 09:11:38 generic-packstack-001-1539 systemd[1]: ovsdb-server.service: control process exited, code=exited status=1
Oct 05 09:11:38 generic-packstack-001-1539 systemd[1]: Failed to start Open vSwitch Database Unit.
Oct 05 09:11:38 generic-packstack-001-1539 systemd[1]: Unit ovsdb-server.service entered failed state.
Oct 05 09:11:38 generic-packstack-001-1539 systemd[1]: ovsdb-server.service failed.
Oct 05 09:11:38 generic-packstack-001-1539 systemd[1]: ovsdb-server.service holdoff time over, scheduling restart.
Oct 05 09:11:38 generic-packstack-001-1539 systemd[1]: start request repeated too quickly for ovsdb-server.service
Oct 05 09:11:38 generic-packstack-001-1539 systemd[1]: Failed to start Open vSwitch Database Unit.
Oct 05 09:11:38 generic-packstack-001-1539 systemd[1]: Unit ovsdb-server.service entered failed state.
Oct 05 09:11:38 generic-packstack-001-1539 systemd[1]: ovsdb-server.service failed.


Following AVC denials appear in audit.log:

80. 10/05/2017 09:11:36 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21315
81. 10/05/2017 09:11:36 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21314
82. 10/05/2017 09:11:36 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21316
83. 10/05/2017 09:11:37 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21317
84. 10/05/2017 09:11:37 cp system_u:system_r:openvswitch_t:s0 2 capability dac_override system_u:system_r:openvswitch_t:s0 denied 21318
85. 10/05/2017 09:11:37 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21334
86. 10/05/2017 09:11:37 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21335
87. 10/05/2017 09:11:37 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21336
88. 10/05/2017 09:11:37 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21337
89. 10/05/2017 09:11:37 cp system_u:system_r:openvswitch_t:s0 2 capability dac_override system_u:system_r:openvswitch_t:s0 denied 21338
90. 10/05/2017 09:11:37 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21344
91. 10/05/2017 09:11:37 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21345
92. 10/05/2017 09:11:37 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21346
93. 10/05/2017 09:11:37 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21347
94. 10/05/2017 09:11:37 cp system_u:system_r:openvswitch_t:s0 2 capability dac_override system_u:system_r:openvswitch_t:s0 denied 21348
95. 10/05/2017 09:11:37 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21366
96. 10/05/2017 09:11:37 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21367
97. 10/05/2017 09:11:37 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21368
98. 10/05/2017 09:11:37 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21369
99. 10/05/2017 09:11:37 cp system_u:system_r:openvswitch_t:s0 2 capability dac_override system_u:system_r:openvswitch_t:s0 denied 21370
100. 10/05/2017 09:11:38 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21374
101. 10/05/2017 09:11:38 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21375
102. 10/05/2017 09:11:38 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21376
103. 10/05/2017 09:11:38 runuser system_u:system_r:openvswitch_t:s0 41 netlink_audit_socket create system_u:system_r:openvswitch_t:s0 denied 21377
104. 10/05/2017 09:11:38 cp system_u:system_r:openvswitch_t:s0 2 capability dac_override system_u:system_r:openvswitch_t:s0 denied 21378

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Take ovs-2.8.1 build from CBS:

cd ~
wget http://cbs.centos.org/kojifiles/packages/openvswitch/2.8.1/1.1fc28.el7/x86_64/openvswitch-2.8.1-1.1fc28.el7.x86_64.rpm

2. Install openvswitch

yum -y localinstall openvswitch-2.8.1-1.1fc28.el7.x86_64.rpm


3. Start ovsdb-server

systemctl start ovsdb-server


Actual results:

ovsdb-server fails to start

Expected results:

ovsdb-server should start fine

Additional info:

Comment 1 Alan Pevec 2017-10-10 00:24:58 UTC

This can be reproduced on Fedora 27 with:
  selinux-policy-3.13.1-283.5.fc27.noarch
  openvswitch-2.8.1-1.fc27.x86_64
List of AVCs w/ SELinux permissive is below [*]
NB this is just service start, there might be more in actual operation!

This needs to be pushed first to https://github.com/fedora-selinux/selinux-policy
then backported to openstack-selinux.

[*]
type=AVC msg=audit(1507594742.843:184): avc:  denied  { create } for  pid=1424 comm="runuser" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1507594742.843:185): avc:  denied  { nlmsg_relay } for  pid=1424 comm="runuser" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1507594742.844:186): avc:  denied  { audit_write } for  pid=1424 comm="runuser" capability=29 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=1

type=AVC msg=audit(1507594743.049:195): avc:  denied  { dac_override } for pid=1431 comm="ovs-vsctl" capability=1 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=1

Comment 2 Lon Hohberger 2017-10-10 15:03:04 UTC

Created attachment 1336797 [details]
audit.log from permissive stop/start

Comment 3 Lon Hohberger 2017-10-10 15:05:07 UTC

#============= openvswitch_t ==============
allow openvswitch_t self:capability audit_write;
allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay };

These are simple enough and consistent with the workings of openvswitch

Comment 4 Lon Hohberger 2017-10-10 15:09:09 UTC

https://github.com/redhat-openstack/openstack-selinux/commit/c677012699d2bad1846ab2a927b2af89ed976dcf

Comment 5 Alfredo Moralejo 2017-10-13 08:27:01 UTC

ovsdb-server is still failing to start after https://github.com/redhat-openstack/openstack-selinux/commit/c677012699d2bad1846ab2a927b2af89ed976dcf

I could start it after adding following policies:

#============= openvswitch_t ==============
allow openvswitch_t self:capability dac_override;
allow openvswitch_t self:netlink_audit_socket { read write };

Note that some of the AVC issues only appear after i disabled dontaudit (semodule -DB)

Comment 6 Alfredo Moralejo 2017-10-13 08:37:04 UTC

The messages i found in audit.log after disabling dontaudit:


type=AVC msg=audit(1507882760.767:1386): avc:  denied  { write } for  pid=6246 comm="runuser" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_audit_socket


type=AVC msg=audit(1507882834.017:1434): avc:  denied  { read } for  pid=6495 comm="runuser" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_audit_socket

type=AVC msg=audit(1507882927.297:1507): avc:  denied  { dac_override } for  pid=6744 comm="ovs-vsctl" capability=1  scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability

Comment 7 Lon Hohberger 2017-10-13 15:18:23 UTC

Thanks!

Comment 8 Lon Hohberger 2017-10-13 15:25:45 UTC

https://github.com/redhat-openstack/openstack-selinux/commit/2775ec70be1e3d915aa9a06bf8f18c89e054ec5f

Comment 9 Alfredo Moralejo 2017-10-13 16:26:05 UTC

It's working fine in my test environment after https://github.com/redhat-openstack/openstack-selinux/commit/9d30e36cea34027f6e4cda7fb190c2c989223f18

Note You need to log in before you can comment on or make changes to this bug.