tripleo

openvswitch sysctl SELinux denials

Bug #1405021 reported by Richard Su
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Invalid
High
Unassigned

Bug Description

On Fedora 20, tripleo-ci has recently started to log denials with openvswitch and sysctl.

type=AVC msg=audit(1418940256.937:191): avc: denied { search } for pid=3481 comm="handler5" name="net" dev="proc" ino=9722 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1418940256.937:191): avc: denied { read } for pid=3481 comm="handler5" name="netdev_max_backlog" dev="proc" ino=16646 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1418940256.937:191): avc: denied { open } for pid=3481 comm="handler5" path="/proc/sys/net/core/netdev_max_backlog" dev="proc" ino=16646 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1418940256.937:192): avc: denied { getattr } for pid=3481 comm="handler5" path="/proc/sys/net/core/netdev_max_backlog" dev="proc" ino=16646 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1

Revision history for this message
Richard Su (rwsu) wrote :
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-image-elements (master)

Fix proposed to branch: master
Review: https://review.openstack.org/143572

Changed in tripleo:
status: Triaged → In Progress
Revision history for this message
Richard Su (rwsu) wrote :

Also filed bug to upstream selinux policy: https://bugzilla.redhat.com/show_bug.cgi?id=1176730

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-image-elements (master)

Reviewed: https://review.openstack.org/143572
Committed: https://git.openstack.org/cgit/openstack/tripleo-image-elements/commit/?id=1d5e18a157aebb965320338a1b98540713344d06
Submitter: Jenkins
Branch: master

commit 1d5e18a157aebb965320338a1b98540713344d06
Author: Richard Su <email address hidden>
Date: Mon Dec 22 16:14:06 2014 -0800

    Custom policy for openvswitch SELinux denials

    Tripleo-ci has started to log denials about openvswitch and
    sysctl interactions.

    Change-Id: I9ef2162d60dd0ac8a062f11c817849a84ff84546
    Partial-Bug: 1405021

Brent Eagles (beagles)
tags: added: workaround
Revision history for this message
Emilien Macchi (emilienm) wrote :

This bug is > 365 days without activity. We are unsetting assignee and milestone and setting status to Incomplete in order to allow its expiry in 60 days.

If the bug is still valid, then update the bug status.

Changed in tripleo:
assignee: Richard Su (rwsu) → nobody
status: In Progress → Incomplete
Revision history for this message
Alex Schultz (alex-schultz) wrote :

Closing this bug as I don't think it's valid anymore. Please reopen if necessary

Changed in tripleo:
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.