<div dir="ltr">On the node side slightly different denials:<div><br></div><div><font face="monospace" size="1">type=AVC msg=audit(1647266623.821:879): avc: denied { search } for pid=22825 comm="modprobe" name="events" dev="tracefs" ino=51 scontext=system_u:system_r:openvswitch_load_module_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0<br>type=AVC msg=audit(1647266623.821:879): avc: denied { search } for pid=22825 comm="modprobe" name="events" dev="tracefs" ino=51 scontext=system_u:system_r:openvswitch_load_module_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0<br>type=AVC msg=audit(1647266666.539:1174): avc: denied { add_name } for pid=29743 comm="ovs-monitor-ips" name="ipsec.conf" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0<br>type=AVC msg=audit(1647266666.539:1175): avc: denied { add_name } for pid=29743 comm="ovs-monitor-ips" name="ipsec.secrets" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0<br>type=AVC msg=audit(1647266754.214:46): avc: denied { search } for pid=1585 comm="modprobe" name="events" dev="tracefs" ino=51 scontext=system_u:system_r:openvswitch_load_module_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0<br>type=AVC msg=audit(1647266754.214:46): avc: denied { search } for pid=1585 comm="modprobe" name="events" dev="tracefs" ino=51 scontext=system_u:system_r:openvswitch_load_module_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0<br>type=AVC msg=audit(1647266754.647:81): avc: denied { add_name } for pid=1663 comm="ovs-monitor-ips" name="ipsec.conf" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0<br>type=AVC msg=audit(1647266754.647:82): avc: denied { add_name } for pid=1663 comm="ovs-monitor-ips" name="ipsec.secrets" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0</font><br></div><div><font face="monospace" size="1"><br></font></div><div><font face="monospace" size="1"><br></font></div><div><font face="monospace" size="1">centos-release-nfv-openvswitch.noarch 1-3.el8 @System<br>openvswitch-selinux-extra-policy.noarch 1.0-28.el8 @System<br>openvswitch2.15.x86_64 2.15.0-81.el8s @System<br>openvswitch2.15-ipsec.x86_64 2.15.0-81.el8s @System<br>ovirt-openvswitch.noarch 2.15-3.el8 @System<br>ovirt-openvswitch-ipsec.noarch 2.15-3.el8 @System<br>ovirt-openvswitch-ovn.noarch 2.15-3.el8 @System<br>ovirt-openvswitch-ovn-common.noarch 2.15-3.el8 @System<br>ovirt-openvswitch-ovn-host.noarch 2.15-3.el8 @System<br>ovirt-python-openvswitch.noarch 2.15-3.el8 @System<br>python3-openvswitch2.15.x86_64 2.15.0-81.el8s @System</font><font face="monospace" size="1"><br></font></div><div><font face="monospace" size="1"><br></font></div><div><font face="monospace" size="1"><br></font></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Il giorno lun 14 mar 2022 alle ore 15:32 Sandro Bonazzola <<a href="mailto:sbonazzo@redhat.com">sbonazzo@redhat.com</a>> ha scritto:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi,<div>while testing oVirt for 4.5 alpha I noticed on the ovirt-engine side:</div><div><br></div><div><font face="monospace" size="1"># ausearch -m avc|grep den<br>type=AVC msg=audit(1646758341.539:780): avc: denied { search } for pid=38783 comm="modprobe" name="events" dev="tracefs" ino=45 scontext=system_u:system_r:openvswitch_load_module_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0<br>type=AVC msg=audit(1646758341.539:780): avc: denied { search } for pid=38783 comm="modprobe" name="events" dev="tracefs" ino=45 scontext=system_u:system_r:openvswitch_load_module_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0<br>type=AVC msg=audit(1646881861.570:998): avc: denied { write } for pid=97466 comm="ovs-appctl" name="ovnnb_db.ctl" dev="tmpfs" ino=195196 scontext=system_u:system_r:openvswitch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0<br>type=AVC msg=audit(1646881861.573:999): avc: denied { write } for pid=97467 comm="ovs-appctl" name="ovn-northd.38883.ctl" dev="tmpfs" ino=195260 scontext=system_u:system_r:openvswitch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0<br>type=AVC msg=audit(1646881861.575:1000): avc: denied { write } for pid=97468 comm="ovs-appctl" name="ovnsb_db.ctl" dev="tmpfs" ino=198897 scontext=system_u:system_r:openvswitch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0<br>type=AVC msg=audit(1646969461.086:1037): avc: denied { write } for pid=122222 comm="ovs-appctl" name="ovnnb_db.ctl" dev="tmpfs" ino=195196 scontext=system_u:system_r:openvswitch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0<br>type=AVC msg=audit(1646969461.089:1038): avc: denied { write } for pid=122223 comm="ovs-appctl" name="ovn-northd.38883.ctl" dev="tmpfs" ino=195260 scontext=system_u:system_r:openvswitch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0<br>type=AVC msg=audit(1646969461.091:1039): avc: denied { write } for pid=122224 comm="ovs-appctl" name="ovnsb_db.ctl" dev="tmpfs" ino=198897 scontext=system_u:system_r:openvswitch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0<br>type=AVC msg=audit(1647265858.456:54): avc: denied { search } for pid=1245 comm="modprobe" name="events" dev="tracefs" ino=45 scontext=system_u:system_r:openvswitch_load_module_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0<br>type=AVC msg=audit(1647265858.456:54): avc: denied { search } for pid=1245 comm="modprobe" name="events" dev="tracefs" ino=45 scontext=system_u:system_r:openvswitch_load_module_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0</font><br></div><div><br></div><div>Involved packages are:</div><div><br></div><div><font face="monospace" size="1">dnf list installed "*openvswitch*"<br>Installed Packages<br>centos-release-nfv-openvswitch.noarch 1-3.el8 @extras <br>openvswitch-selinux-extra-policy.noarch 1.0-28.el8 @centos-nfv-openvswitch<br>openvswitch2.15.x86_64 2.15.0-81.el8s @centos-nfv-openvswitch<br>ovirt-openvswitch.noarch 2.15-3.el8 @centos-ovirt45-testing<br>ovirt-openvswitch-ovn.noarch 2.15-3.el8 @centos-ovirt45-testing<br>ovirt-openvswitch-ovn-central.noarch 2.15-3.el8 @centos-ovirt45-testing<br>ovirt-openvswitch-ovn-common.noarch 2.15-3.el8 @centos-ovirt45-testing<br>ovirt-python-openvswitch.noarch 2.15-3.el8 @centos-ovirt45-testing<br>python3-openvswitch2.15.x86_64 2.15.0-81.el8s @centos-nfv-openvswitch<br clear="all"></font><div><br></div><div>As the openvswitch packages are coming from centos-release-nfv-openvswitch reporting to centos devel (no more specific location mentioned on <a href="https://wiki.centos.org/ReportBugs" target="_blank">https://wiki.centos.org/ReportBugs</a> )</div><div><br></div><div><br></div>-- <br><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><p style="color:rgb(0,0,0);font-family:RedHatText,sans-serif;font-weight:bold;margin:0px;padding:0px;font-size:14px"><span>Sandro</span> <span>Bonazzola</span><span style="text-transform:uppercase;color:rgb(170,170,170);margin:0px"></span></p><p style="color:rgb(0,0,0);font-family:RedHatText,sans-serif;font-size:12px;margin:0px"><span>MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV</span></p><p style="color:rgb(0,0,0);font-family:RedHatText,sans-serif;margin:0px 0px 4px;font-size:12px"><a href="https://www.redhat.com/" style="color:rgb(0,136,206);margin:0px" target="_blank">Red Hat <span>EMEA</span></a></p><div style="color:rgb(0,0,0);font-family:RedHatText,sans-serif;font-size:medium;margin-bottom:4px"></div><p style="color:rgb(0,0,0);font-family:RedHatText,sans-serif;margin:0px;font-size:12px"><span style="margin:0px;padding:0px"><a href="mailto:sbonazzo@redhat.com" style="color:rgb(0,0,0);margin:0px" target="_blank">sbonazzo@redhat.com</a> </span></p><div style="color:rgb(0,0,0);font-family:RedHatText,sans-serif;font-size:medium;margin-top:12px"><div style="margin-top:12px"><table border="0"><tbody><tr><td width="100px"><a href="https://www.redhat.com/" target="_blank"><img src="https://static.redhat.com/libs/redhat/brand-assets/2/corp/logo--200.png" width="96" height="23"></a></td><td style="font-size:12px"><div></div></td></tr></tbody></table></div></div><table border="0"><tbody><tr></tr></tbody></table><div style="margin-top:12px"><font color="#000000" face="arial, sans-serif" size="1"><b></b></font></div><div style="margin-top:12px"><font color="#000000" face="arial, sans-serif" size="1"><b>Red Hat respects your work life balance. Therefore there is no need to answer this email out of your office hours.<br></b></font></div><div style="margin-top:12px"><font color="#000000" face="arial, sans-serif" size="1"><b><br><br></b></font></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><p style="color:rgb(0,0,0);font-family:RedHatText,sans-serif;font-weight:bold;margin:0px;padding:0px;font-size:14px"><span>Sandro</span> <span>Bonazzola</span><span style="text-transform:uppercase;color:rgb(170,170,170);margin:0px"></span></p><p style="color:rgb(0,0,0);font-family:RedHatText,sans-serif;font-size:12px;margin:0px"><span>MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV</span></p><p style="color:rgb(0,0,0);font-family:RedHatText,sans-serif;margin:0px 0px 4px;font-size:12px"><a href="https://www.redhat.com/" style="color:rgb(0,136,206);margin:0px" target="_blank">Red Hat <span>EMEA</span></a></p><div style="color:rgb(0,0,0);font-family:RedHatText,sans-serif;font-size:medium;margin-bottom:4px"></div><p style="color:rgb(0,0,0);font-family:RedHatText,sans-serif;margin:0px;font-size:12px"><span style="margin:0px;padding:0px"><a href="mailto:sbonazzo@redhat.com" style="color:rgb(0,0,0);margin:0px" target="_blank">sbonazzo@redhat.com</a> </span></p><div style="color:rgb(0,0,0);font-family:RedHatText,sans-serif;font-size:medium;margin-top:12px"><div style="margin-top:12px"><table border="0"><tbody><tr><td width="100px"><a href="https://www.redhat.com/" target="_blank"><img src="https://static.redhat.com/libs/redhat/brand-assets/2/corp/logo--200.png" width="96" height="23"></a></td><td style="font-size:12px"><div></div></td></tr></tbody></table></div></div><table border="0"><tbody><tr></tr></tbody></table><div style="margin-top:12px"><font color="#000000" face="arial, sans-serif" size="1"><b></b></font></div><div style="margin-top:12px"><font color="#000000" face="arial, sans-serif" size="1"><b>Red Hat respects your work life balance. Therefore there is no need to answer this email out of your office hours.<br></b></font></div><div style="margin-top:12px"><font color="#000000" face="arial, sans-serif" size="1"><b><br><br></b></font></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>