-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/30/2012 04:17 PM, Ian Pilcher wrote:
And getting a ton of SELinux AVCs?
According to https://bugzilla.redhat.com/show_bug.cgi?id=872974#c2, the openvswitch policy should be in selinux-policy-targeted- 3.11.1-66.fc18.noarch, but I'm seeing a ton of messages related to kmod, files in /etc/modprobe.d, and a netlink socket.
type=AVC msg=audit(1356894958.32:2022): avc: denied { module_request } for pid=1584 comm="ovs-vswitchd" kmod="netdev-vnet6" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=SYSCALL msg=audit(1356894958.32:2022): arch=x86_64 syscall=ioctl success=no exit=ENODEV a0=10 a1=8913 a2=7fff99c842d0 a3=ffffffff items=0 ppid=1583 pid=1584 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ovs-vswitchd exe=2F7573722F7362696E2F6F76732D7673776974636864202864656C6574656429 subj=system_u:system_r:openvswitch_t:s0 key=(null)
type=AVC msg=audit(1356894968.741:2209): avc: denied { nlmsg_write } for pid=1584 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1356894968.741:2209): arch=x86_64 syscall=sendmsg success=yes exit=EBADE a0=25 a1=7fff99c83530 a2=0 a3=200 items=0 ppid=1583 pid=1584 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ovs-vswitchd exe=2F7573722F7362696E2F6F76732D7673776974636864202864656C6574656429 subj=system_u:system_r:openvswitch_t:s0 key=(null)
I see these rules in selinux-policy-3.11.1-69.fc18.noarch
audit2allow -i /tmp/t
#============= openvswitch_t ============== #!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules'
allow openvswitch_t kernel_t:system module_request; #!!!! This avc is allowed in the current policy
allow openvswitch_t self:netlink_route_socket nlmsg_write;