-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/30/2012 04:17 PM, Ian Pilcher wrote:
And getting a ton of SELinux AVCs?
According to
https://bugzilla.redhat.com/show_bug.cgi?id=872974#c2, the
openvswitch policy should be in selinux-policy-targeted-
3.11.1-66.fc18.noarch, but I'm seeing a ton of messages related to kmod,
files in /etc/modprobe.d, and a netlink socket.
type=AVC msg=audit(1356894958.32:2022): avc: denied { module_request }
for pid=1584 comm="ovs-vswitchd" kmod="netdev-vnet6"
scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=SYSCALL msg=audit(1356894958.32:2022): arch=x86_64 syscall=ioctl
success=no exit=ENODEV a0=10 a1=8913 a2=7fff99c842d0 a3=ffffffff items=0
ppid=1583 pid=1584 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ovs-vswitchd
exe=2F7573722F7362696E2F6F76732D7673776974636864202864656C6574656429
subj=system_u:system_r:openvswitch_t:s0 key=(null)
type=AVC msg=audit(1356894968.741:2209): avc: denied { nlmsg_write } for
pid=1584 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1356894968.741:2209): arch=x86_64 syscall=sendmsg
success=yes exit=EBADE a0=25 a1=7fff99c83530 a2=0 a3=200 items=0 ppid=1583
pid=1584 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm=ovs-vswitchd
exe=2F7573722F7362696E2F6F76732D7673776974636864202864656C6574656429
subj=system_u:system_r:openvswitch_t:s0 key=(null)
I see these rules in selinux-policy-3.11.1-69.fc18.noarch
audit2allow -i /tmp/t
#============= openvswitch_t ==============
#!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules'
allow openvswitch_t kernel_t:system module_request;
#!!!! This avc is allowed in the current policy
allow openvswitch_t self:netlink_route_socket nlmsg_write;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined -
http://www.enigmail.net/
iEYEARECAAYFAlDkgIcACgkQrlYvE4MpobPYyQCgyfQF9RoBytouocvxoqSVfcUw
ag4Anj8cXbce7S7v+NHhN9WMC3993ct2
=QwuT
-----END PGP SIGNATURE-----