ovsdb-server unable to start on compute nodes after upgrade to RHEL-7.9 due to SELinux AVC denials
Issue
-
After upgrading our overcloud to RHEL7.9 ovsdb-server fails to start on compute nodes which results in unhealthy L2 agents.
-
The workaround is to switch the selinux to permissive mode. Some more info from the affected system in permissive mode follows:
[root@overcloud-compute-0 ~]# systemctl restart ovsdb-server.service
[overcloud-compute-0.localdomain] [03:40:08 PM]
[root@overcloud-compute-0 ~]# ausearch -m avc -ts recent
time->Tue Oct 13 15:40:08 2020
type=PROCTITLE msg=audit(1602603608.681:103767): proctitle=6F767364622D736572766572002F6574632F6F70656E767377697463682F636F6E662E6462002D76636F6E736F6C653A656D6572002D767379736C6F673A657272002D7666696C653A696E666F002D2D72656D6F74653D70756E69783A2F7661722F72756E2F6F70656E767377697463682F64622E736F636B002D2D70726976
type=SYSCALL msg=audit(1602603608.681:103767): arch=c000003e syscall=49 success=yes exit=0 a0=13 a1=7ffdba4593f0 a2=10 a3=7ffdba4593e8 items=0 ppid=1 pid=101688 auid=4294967295 uid=994 gid=1028 euid=994 suid=994 fsuid=994 egid=1028 sgid=1028 fsgid=1028 tty=(none) ses=4294967295 comm="ovsdb-server" exe="/usr/sbin/ovsdb-server" subj=system_u:system_r:openvswitch_t:s0 key=(null)
type=AVC msg=audit(1602603608.681:103767): avc: denied { name_bind } for pid=101688 comm="ovsdb-server" src=6640 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:ovsdb_port_t:s0 tclass=tcp_socket permissive=1
[overcloud-compute-0.localdomain] [03:40:12 PM]
[root@overcloud-compute-0 ~]# rpm -qa | grep selinux
selinux-policy-3.13.1-268.el7.noarch
selinux-policy-targeted-3.13.1-268.el7.noarch
openvswitch-selinux-extra-policy-1.0-9.el7fdp.noarch
libselinux-ruby-2.5-15.el7.x86_64
libselinux-utils-2.5-15.el7.x86_64
container-selinux-2.119.2-1.911c772.el7_8.noarch
libselinux-python-2.5-15.el7.x86_64
libselinux-2.5-15.el7.x86_64
ceph-selinux-12.2.12-124.el7cp.x86_64
- This deployment is using pre-deployed nodes.
Environment
- Red Hat OpenStack Platform 13.0 (RHOSP)
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.