Anyone else using Open vSwitch on F18?
Daniel J Walsh
dwalsh at redhat.com
Wed Jan 2 18:46:31 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/30/2012 04:17 PM, Ian Pilcher wrote:
> And getting a ton of SELinux AVCs?
>
> According to https://bugzilla.redhat.com/show_bug.cgi?id=872974#c2, the
> openvswitch policy should be in selinux-policy-targeted-
> 3.11.1-66.fc18.noarch, but I'm seeing a ton of messages related to kmod,
> files in /etc/modprobe.d, and a netlink socket.
>
> type=AVC msg=audit(1356894958.32:2022): avc: denied { module_request }
> for pid=1584 comm="ovs-vswitchd" kmod="netdev-vnet6"
> scontext=system_u:system_r:openvswitch_t:s0
> tcontext=system_u:system_r:kernel_t:s0 tclass=system
>
> type=SYSCALL msg=audit(1356894958.32:2022): arch=x86_64 syscall=ioctl
> success=no exit=ENODEV a0=10 a1=8913 a2=7fff99c842d0 a3=ffffffff items=0
> ppid=1583 pid=1584 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ovs-vswitchd
> exe=2F7573722F7362696E2F6F76732D7673776974636864202864656C6574656429
> subj=system_u:system_r:openvswitch_t:s0 key=(null)
>
> type=AVC msg=audit(1356894968.741:2209): avc: denied { nlmsg_write } for
> pid=1584 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0
> tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_route_socket
>
> type=SYSCALL msg=audit(1356894968.741:2209): arch=x86_64 syscall=sendmsg
> success=yes exit=EBADE a0=25 a1=7fff99c83530 a2=0 a3=200 items=0 ppid=1583
> pid=1584 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm=ovs-vswitchd
> exe=2F7573722F7362696E2F6F76732D7673776974636864202864656C6574656429
> subj=system_u:system_r:openvswitch_t:s0 key=(null)
>
I see these rules in selinux-policy-3.11.1-69.fc18.noarch
audit2allow -i /tmp/t
#============= openvswitch_t ==============
#!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules'
allow openvswitch_t kernel_t:system module_request;
#!!!! This avc is allowed in the current policy
allow openvswitch_t self:netlink_route_socket nlmsg_write;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlDkgIcACgkQrlYvE4MpobPYyQCgyfQF9RoBytouocvxoqSVfcUw
ag4Anj8cXbce7S7v+NHhN9WMC3993ct2
=QwuT
-----END PGP SIGNATURE-----
More information about the test
mailing list