On Tue, Jan 08, 2019 at 10:26:10AM -0500, Aaron Conole wrote: > Yi-Hung Wei <[email protected]> writes: > > > Starting from OVS 2.10, ovs-vswitchd may fail to run after system reboot > > since it fails to load ovs kernel module. It is because the conntrack > > zone limit feature introduced in OVS 2.10 now depends on > > nf_conntrack_ipv4/6 kernel module, and the SELinux prevents it to load the > > two kernel modules. > > > > Example log of the AVC violations: > > type=AVC msg=audit(1546903594.735:29): avc: denied { execute_no_trans > > } > > for pid=820 comm="modprobe" path="/usr/bin/bash" dev="dm-0" > > ino=50337111 > > scontext=system_u:system_r:openvswitch_load_module_t:s0 > > tcontext=system_u:object_r:shell_exec_t:s0 tclass=file > > > > type=AVC msg=audit(1546903594.791:30): avc: denied { module_request } > > for > > pid=819 comm="modprobe" kmod="nf_conntrack-2" > > scontext=system_u:system_r:openvswitch_load_module_t:s0 > > tcontext=system_u:system_r:kernel_t:s0 tclass=system > > > > This patch adds the missing permissions for modprobe command in ovs-kmod-ctl > > so that the aforementioned issue is resolved. > > > > VMWare-BZ: #2257534 > > Signed-off-by: Yi-Hung Wei <[email protected]> > > --- > > Good catch. > > Acked-by: Aaron Conole <[email protected]>
Thanks, Yi-hung (and Aaron). I applied this to master and branch-2.10. _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
