Yi-Hung Wei <[email protected]> writes: > Starting from OVS 2.10, ovs-vswitchd may fail to run after system reboot > since it fails to load ovs kernel module. It is because the conntrack > zone limit feature introduced in OVS 2.10 now depends on > nf_conntrack_ipv4/6 kernel module, and the SELinux prevents it to load the > two kernel modules. > > Example log of the AVC violations: > type=AVC msg=audit(1546903594.735:29): avc: denied { execute_no_trans } > for pid=820 comm="modprobe" path="/usr/bin/bash" dev="dm-0" ino=50337111 > scontext=system_u:system_r:openvswitch_load_module_t:s0 > tcontext=system_u:object_r:shell_exec_t:s0 tclass=file > > type=AVC msg=audit(1546903594.791:30): avc: denied { module_request } > for > pid=819 comm="modprobe" kmod="nf_conntrack-2" > scontext=system_u:system_r:openvswitch_load_module_t:s0 > tcontext=system_u:system_r:kernel_t:s0 tclass=system > > This patch adds the missing permissions for modprobe command in ovs-kmod-ctl > so that the aforementioned issue is resolved. > > VMWare-BZ: #2257534 > Signed-off-by: Yi-Hung Wei <[email protected]> > ---
Good catch. Acked-by: Aaron Conole <[email protected]> _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
