[CentOS-devel] NFV SIG - AVC denials with openvswitch

Mon Mar 14 14:36:01 UTC 2022
Sandro Bonazzola <sbonazzo at redhat.com>

On the node side slightly different denials:

type=AVC msg=audit(1647266623.821:879): avc:  denied  { search } for
 pid=22825 comm="modprobe" name="events" dev="tracefs" ino=51
scontext=system_u:system_r:openvswitch_load_module_t:s0
tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1647266623.821:879): avc:  denied  { search } for
 pid=22825 comm="modprobe" name="events" dev="tracefs" ino=51
scontext=system_u:system_r:openvswitch_load_module_t:s0
tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1647266666.539:1174): avc:  denied  { add_name } for
 pid=29743 comm="ovs-monitor-ips" name="ipsec.conf"
scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1647266666.539:1175): avc:  denied  { add_name } for
 pid=29743 comm="ovs-monitor-ips" name="ipsec.secrets"
scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1647266754.214:46): avc:  denied  { search } for
 pid=1585 comm="modprobe" name="events" dev="tracefs" ino=51
scontext=system_u:system_r:openvswitch_load_module_t:s0
tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1647266754.214:46): avc:  denied  { search } for
 pid=1585 comm="modprobe" name="events" dev="tracefs" ino=51
scontext=system_u:system_r:openvswitch_load_module_t:s0
tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1647266754.647:81): avc:  denied  { add_name } for
 pid=1663 comm="ovs-monitor-ips" name="ipsec.conf"
scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1647266754.647:82): avc:  denied  { add_name } for
 pid=1663 comm="ovs-monitor-ips" name="ipsec.secrets"
scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0


centos-release-nfv-openvswitch.noarch
      1-3.el8                                                  @System
openvswitch-selinux-extra-policy.noarch
      1.0-28.el8                                               @System
openvswitch2.15.x86_64
       2.15.0-81.el8s                                           @System
openvswitch2.15-ipsec.x86_64
       2.15.0-81.el8s                                           @System
ovirt-openvswitch.noarch
       2.15-3.el8                                               @System
ovirt-openvswitch-ipsec.noarch
       2.15-3.el8                                               @System
ovirt-openvswitch-ovn.noarch
       2.15-3.el8                                               @System
ovirt-openvswitch-ovn-common.noarch
      2.15-3.el8                                               @System
ovirt-openvswitch-ovn-host.noarch
      2.15-3.el8                                               @System
ovirt-python-openvswitch.noarch
      2.15-3.el8                                               @System
python3-openvswitch2.15.x86_64
       2.15.0-81.el8s                                           @System



Il giorno lun 14 mar 2022 alle ore 15:32 Sandro Bonazzola <
sbonazzo at redhat.com> ha scritto:

> Hi,
> while testing oVirt for 4.5 alpha I noticed on the ovirt-engine side:
>
> # ausearch -m avc|grep den
> type=AVC msg=audit(1646758341.539:780): avc:  denied  { search } for
>  pid=38783 comm="modprobe" name="events" dev="tracefs" ino=45
> scontext=system_u:system_r:openvswitch_load_module_t:s0
> tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
> type=AVC msg=audit(1646758341.539:780): avc:  denied  { search } for
>  pid=38783 comm="modprobe" name="events" dev="tracefs" ino=45
> scontext=system_u:system_r:openvswitch_load_module_t:s0
> tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
> type=AVC msg=audit(1646881861.570:998): avc:  denied  { write } for
>  pid=97466 comm="ovs-appctl" name="ovnnb_db.ctl" dev="tmpfs" ino=195196
> scontext=system_u:system_r:openvswitch_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0
> type=AVC msg=audit(1646881861.573:999): avc:  denied  { write } for
>  pid=97467 comm="ovs-appctl" name="ovn-northd.38883.ctl" dev="tmpfs"
> ino=195260 scontext=system_u:system_r:openvswitch_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0
> type=AVC msg=audit(1646881861.575:1000): avc:  denied  { write } for
>  pid=97468 comm="ovs-appctl" name="ovnsb_db.ctl" dev="tmpfs" ino=198897
> scontext=system_u:system_r:openvswitch_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0
> type=AVC msg=audit(1646969461.086:1037): avc:  denied  { write } for
>  pid=122222 comm="ovs-appctl" name="ovnnb_db.ctl" dev="tmpfs" ino=195196
> scontext=system_u:system_r:openvswitch_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0
> type=AVC msg=audit(1646969461.089:1038): avc:  denied  { write } for
>  pid=122223 comm="ovs-appctl" name="ovn-northd.38883.ctl" dev="tmpfs"
> ino=195260 scontext=system_u:system_r:openvswitch_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0
> type=AVC msg=audit(1646969461.091:1039): avc:  denied  { write } for
>  pid=122224 comm="ovs-appctl" name="ovnsb_db.ctl" dev="tmpfs" ino=198897
> scontext=system_u:system_r:openvswitch_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0
> type=AVC msg=audit(1647265858.456:54): avc:  denied  { search } for
>  pid=1245 comm="modprobe" name="events" dev="tracefs" ino=45
> scontext=system_u:system_r:openvswitch_load_module_t:s0
> tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
> type=AVC msg=audit(1647265858.456:54): avc:  denied  { search } for
>  pid=1245 comm="modprobe" name="events" dev="tracefs" ino=45
> scontext=system_u:system_r:openvswitch_load_module_t:s0
> tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
>
> Involved packages are:
>
> dnf list installed "*openvswitch*"
> Installed Packages
> centos-release-nfv-openvswitch.noarch                       1-3.el8
>                       @extras
> openvswitch-selinux-extra-policy.noarch                     1.0-28.el8
>                      @centos-nfv-openvswitch
> openvswitch2.15.x86_64                                      2.15.0-81.el8s
>                      @centos-nfv-openvswitch
> ovirt-openvswitch.noarch                                    2.15-3.el8
>                      @centos-ovirt45-testing
> ovirt-openvswitch-ovn.noarch                                2.15-3.el8
>                      @centos-ovirt45-testing
> ovirt-openvswitch-ovn-central.noarch                        2.15-3.el8
>                      @centos-ovirt45-testing
> ovirt-openvswitch-ovn-common.noarch                         2.15-3.el8
>                      @centos-ovirt45-testing
> ovirt-python-openvswitch.noarch                             2.15-3.el8
>                      @centos-ovirt45-testing
> python3-openvswitch2.15.x86_64                              2.15.0-81.el8s
>                      @centos-nfv-openvswitch
>
> As the openvswitch packages are coming from centos-release-nfv-openvswitch
> reporting to centos devel (no more specific location mentioned on
> https://wiki.centos.org/ReportBugs )
>
>
> --
>
> Sandro Bonazzola
>
> MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV
>
> Red Hat EMEA <https://www.redhat.com/>
>
> sbonazzo at redhat.com
> <https://www.redhat.com/>
>
> *Red Hat respects your work life balance. Therefore there is no need to
> answer this email out of your office hours.*
>
>
>

-- 

Sandro Bonazzola

MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV

Red Hat EMEA <https://www.redhat.com/>

sbonazzo at redhat.com
<https://www.redhat.com/>

*Red Hat respects your work life balance. Therefore there is no need to
answer this email out of your office hours.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20220314/5e55b8d4/attachment.html>