Re: Anyone else using Open vSwitch on F18?

Daniel J Walsh <dwalsh@xxxxxxxxxx> · Wed, 02 Jan 2013 13:46:31 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/30/2012 04:17 PM, Ian Pilcher wrote:
> And getting a ton of SELinux AVCs?
> 
> According to https://bugzilla.redhat.com/show_bug.cgi?id=872974#c2, the
> openvswitch policy should be in selinux-policy-targeted- 
> 3.11.1-66.fc18.noarch, but I'm seeing a ton of messages related to kmod, 
> files in /etc/modprobe.d, and a netlink socket.
> 
> type=AVC msg=audit(1356894958.32:2022): avc:  denied  { module_request } 
> for  pid=1584 comm="ovs-vswitchd" kmod="netdev-vnet6" 
> scontext=system_u:system_r:openvswitch_t:s0 
> tcontext=system_u:system_r:kernel_t:s0 tclass=system
> 
> type=SYSCALL msg=audit(1356894958.32:2022): arch=x86_64 syscall=ioctl 
> success=no exit=ENODEV a0=10 a1=8913 a2=7fff99c842d0 a3=ffffffff items=0 
> ppid=1583 pid=1584 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ovs-vswitchd 
> exe=2F7573722F7362696E2F6F76732D7673776974636864202864656C6574656429 
> subj=system_u:system_r:openvswitch_t:s0 key=(null)
> 
> type=AVC msg=audit(1356894968.741:2209): avc:  denied  { nlmsg_write } for
> pid=1584 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 
> tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_route_socket
> 
> type=SYSCALL msg=audit(1356894968.741:2209): arch=x86_64 syscall=sendmsg 
> success=yes exit=EBADE a0=25 a1=7fff99c83530 a2=0 a3=200 items=0 ppid=1583
> pid=1584 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm=ovs-vswitchd 
> exe=2F7573722F7362696E2F6F76732D7673776974636864202864656C6574656429 
> subj=system_u:system_r:openvswitch_t:s0 key=(null)
> 

I see these rules in  selinux-policy-3.11.1-69.fc18.noarch

 audit2allow  -i /tmp/t

#============= openvswitch_t ==============
#!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules'

allow openvswitch_t kernel_t:system module_request;
#!!!! This avc is allowed in the current policy

allow openvswitch_t self:netlink_route_socket nlmsg_write;

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlDkgIcACgkQrlYvE4MpobPYyQCgyfQF9RoBytouocvxoqSVfcUw
ag4Anj8cXbce7S7v+NHhN9WMC3993ct2
=QwuT
-----END PGP SIGNATURE-----
-- 
test mailing list
test@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe:
https://admin.fedoraproject.org/mailman/listinfo/test