On Sat, Sep 13, 2014 at 09:41:18PM -0400, Gregory Gee wrote:
>
> It looks like an selinux issue or something wrong with init script that
> selinux is catching. When i changed it from Enforce to Permissive, it
> started fine. The following was the details in the alert that got reported.
> As I mentioned, this only occurs if you use the init scripts to start it.
Those issues were corrected long time ago, so either your filesystem
labeling needs to be fixed or you have an old selinux-policy package
installed.
I have here:
$ ls -dZ /etc/openvswitch
drwxr-xr-x. root root system_u:object_r:openvswitch_rw_t:s0 /etc/openvswitch
# ls -lZ /etc/openvswitch/*
-rw-r--r--. root root system_u:object_r:openvswitch_rw_t:s0
/etc/openvswitch/conf.db
-rw-r--r--. root root system_u:object_r:openvswitch_rw_t:s0
/etc/openvswitch/conf.db.backup-
-rw-r--r--. root root system_u:object_r:openvswitch_rw_t:s0
/etc/openvswitch/system-id.conf
fbl
>
>
> SELinux is preventing /usr/sbin/ovsdb-server from write access on the
> directory .
>
> ***** Plugin catchall_labels (83.8 confidence) suggests
> *******************
>
> If you want to allow ovsdb-server to have write access on the directory
> Then you need to change the label on $FIX_TARGET_PATH
> Do
> # semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH'
> where FILE_TYPE is one of the following: openvswitch_log_t,
> openvswitch_rw_t, openvswitch_tmp_t, openvswitch_var_lib_t,
> openvswitch_var_run_t, tmp_t, var_lib_t, var_log_t, var_run_t.
> Then execute:
> restorecon -v '$FIX_TARGET_PATH'
>
>
> ***** Plugin catchall (17.1 confidence) suggests **************************
>
> If you believe that ovsdb-server should be allowed write access on the
> directory by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep ovsdb-server /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
> Additional Information:
> Source Context system_u:system_r:openvswitch_t:s0
> Target Context unconfined_u:object_r:etc_t:s0
> Target Objects [ dir ]
> Source ovsdb-server
> Source Path /usr/sbin/ovsdb-server
> Port <Unknown>
> Host localhost.localdomain
> Source RPM Packages openvswitch-2.3.0-1.x86_64
> Target RPM Packages
> Policy RPM selinux-policy-3.12.1-153.el7_0.10.noarch
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Permissive
> Host Name localhost.localdomain
> Platform Linux localhost.localdomain
> 3.10.0-123.6.3.el7.x86_64 #1 SMP Wed Aug 6
> 21:12:36 UTC 2014 x86_64 x86_64
> Alert Count 9
> First Seen 2014-08-30 15:08:18 EDT
> Last Seen 2014-09-13 21:31:59 EDT
> Local ID ed5200fb-b534-4f72-b3ba-353548da4595
>
> Raw Audit Messages
> type=AVC msg=audit(1410658319.418:200): avc: denied { write } for
> pid=3414 comm="ovsdb-tool" name="openvswitch" dev="dm-0" ino=27570230
> scontext=system_u:system_r:openvswitch_t:s0
> tcontext=unconfined_u:object_r:etc_t:s0 tclass=dir
>
>
> type=AVC msg=audit(1410658319.418:200): avc: denied { add_name } for
> pid=3414 comm="ovsdb-tool" name=".conf.db.~lock~"
> scontext=system_u:system_r:openvswitch_t:s0
> tcontext=unconfined_u:object_r:etc_t:s0 tclass=dir
>
>
> type=AVC msg=audit(1410658319.418:200): avc: denied { create } for
> pid=3414 comm="ovsdb-tool" name=".conf.db.~lock~"
> scontext=system_u:system_r:openvswitch_t:s0
> tcontext=system_u:object_r:etc_t:s0 tclass=file
>
>
> type=AVC msg=audit(1410658319.418:200): avc: denied { write } for
> pid=3414 comm="ovsdb-tool" path="/etc/openvswitch/.conf.db.~lock~"
> dev="dm-0" ino=27570223 scontext=system_u:system_r:openvswitch_t:s0
> tcontext=system_u:object_r:etc_t:s0 tclass=file
>
>
> type=SYSCALL msg=audit(1410658319.418:200): arch=x86_64 syscall=open
> success=yes exit=ESRCH a0=24bc930 a1=42 a2=180 a3=7fff2a5da840 items=0
> ppid=3335 pid=3414 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ovsdb-tool
> exe=/usr/bin/ovsdb-tool subj=system_u:system_r:openvswitch_t:s0 key=(null)
>
> Hash: ovsdb-server,openvswitch_t,etc_t,dir,write
>
>
> On 03/09/2014 10:51 AM, Flavio Leitner wrote:
> >On Sat, Aug 30, 2014 at 09:06:59PM -0400, Gregory Gee wrote:
> >> I know, it looks that way. But I checked many times before running the
> >>init script that no OVS processes were running. Even shown below, the
> >>ovsdb-tool to create the initial DB fails. I know at that point nothing was
> >>running. It's really odd behaviour.
> >>
> >>/etc/openvswitch/conf.db does not exist ... (warning).
> >>Creating empty database /etc/openvswitch/conf.db ovsdb-tool: I/O error:
> >>/etc/openvswitch/conf.db: failed to lock lockfile (Resource temporarily
> >>unavailable)
> >>[FAILED]
> >Maybe it's a stale lock /etc/openvswitch/.conf*
> >
> >or it could a selinux issue.
> >
> >fbl
> >
> >>Greg
> >>
> >>On 30/08/2014 6:45 PM, Ben Pfaff wrote:
> >>>On Sat, Aug 30, 2014 at 03:48:29PM -0400, Gregory Gee wrote:
> >>>> Then installed the RPM. But when I try and start OVS, ovsdb fails
> >>>>to start.
> >>>>
> >>>>[root@localhost ~]# /etc/init.d/openvswitch start
> >>>>Starting ovsdb-server ovsdb-server: I/O error:
> >>>>/etc/openvswitch/conf.db: failed to lock lockfile (Resource
> >>>>temporarily unavailable)
> >>>>[FAILED]
> >>>This message probably means that ovsdb-server is already running.
> >>>If you started it separately from the initscript, then you should kill
> >>>that one before using the initscript to start it.
> >>_______________________________________________
> >>discuss mailing list
> >>[email protected]
> >>http://openvswitch.org/mailman/listinfo/discuss
>
_______________________________________________
discuss mailing list
[email protected]
http://openvswitch.org/mailman/listinfo/discuss
