[ovs-dev] '/etc/init.d/openvswitch force-reload-kmod' on RHEL7 fails,

Alex Wang alexw at nicira.com
Wed Oct 22 18:36:26 UTC 2014 

Just out of curiosity,

when i did 'systemctl list-units -t service --all', I could find the
openvswitch.service entry.

but I could not find the openvswith.service file on my system.

then I did 'systemctl -l status openvswitch.service', it showed

    Loaded: loaded (/etc/rc.d/init.d/openvswitch)

seems to me that rhel7 parses the rc.d/ directory and automatically
creates the service for openvswitch.  am I right?

Thanks,
Alex Wang,

On Wed, Oct 22, 2014 at 9:51 AM, Alex Wang <alexw at nicira.com> wrote:

>
>
> On Wed, Oct 22, 2014 at 9:34 AM, Flavio Leitner <fbl at redhat.com> wrote:
>
>> On Wed, Oct 22, 2014 at 09:07:00AM -0700, Alex Wang wrote:
>> > Thx for the reply Flavio,
>> >
>> > > Sorry, I was out for some days. Anyway as FYI, RHEL-7 and
>> > > probably CentOS7 supports systemd, so we provide systemd service
>> > > for openvswitch.  Therefore, the sysv script isn't supported.
>> > >
>> >
>> >
>> > Thanks for notify this,  just searched around, from my understanding,
>> > systemctl dose not have subcommand for reloading the kernel module.
>>
>> You're correct. So far there is no such facility.
>>
>>
>> > So, seems to me, the only way to reload kmod is to reboot machine...
>> > And that way, the interface configurations are all lost.
>> >
>> > Do you know any workaround?
>>
>> Not that I know of.  So, the idea behind the reload kmod is to
>> re-create bridge and ports too?
>>
>
>
> yes, the ovs-save (/usr/share/openvswitch/scripts/ovs-save) file is for
> storing
> info like link state (Ethernet addresses, up/down, ...)
>
> this script is invoked during reload-kmod~
>
>
>
>> > Have you run the script in permissive mode to see if fixing
>> > > that is enough?
>> > > I will try to reproduce in my end as well.
>> >
>> > Yeah, if we set selinux to permissive mode or I `semanage permissive -a
>> > openvswith_t`... then I do not have the issue.
>>
>> Yeah, because then you are allowing everything.  But my question was
>> more if there are more avc denials after that problem.  I mean, once
>> you have fixed/skipped the first problem, likely there is a second one
>> and so forth.  No worries, I will check myself later on.
>>
>
> Here are all the logs in one execution,
>
> type=AVC msg=audit(1413996278.049:152): avc:  denied  { getattr } for
> pid=3970 comm="ovs-save" path="/usr/sbin/ip" dev="dm-1" ino=67244283
> scontext=unconfined_u:system_r:openvswitch_t:s0
> tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
>
> type=SYSCALL msg=audit(1413996278.049:152): arch=c000003e syscall=4
> success=yes exit=0 a0=1d6c670 a1=7fff19957b40 a2=7fff19957b40 a3=0 items=0
> ppid=3969 pid=3970 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=pts0 ses=1 comm="ovs-save" exe="/usr/bin/bash"
> subj=unconfined_u:system_r:openvswitch_t:s0 key=(null)
>
> type=AVC msg=audit(1413996278.049:153): avc:  denied  { execute } for
> pid=3970 comm="ovs-save" name="ip" dev="dm-1" ino=67244283
> scontext=unconfined_u:system_r:openvswitch_t:s0
> tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
>
> type=SYSCALL msg=audit(1413996278.049:153): arch=c000003e syscall=21
> success=yes exit=0 a0=1d6c670 a1=1 a2=7fff19957a70 a3=7fff19957900 items=0
> ppid=3969 pid=3970 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=pts0 ses=1 comm="ovs-save" exe="/usr/bin/bash"
> subj=unconfined_u:system_r:openvswitch_t:s0 key=(null)
>
> type=AVC msg=audit(1413996278.049:154): avc:  denied  { read } for
> pid=3970 comm="ovs-save" name="ip" dev="dm-1" ino=67244283
> scontext=unconfined_u:system_r:openvswitch_t:s0
> tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
>
> type=SYSCALL msg=audit(1413996278.049:154): arch=c000003e syscall=21
> success=yes exit=0 a0=1d6c670 a1=4 a2=7fff19957a70 a3=7fff19957900 items=0
> ppid=3969 pid=3970 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=pts0 ses=1 comm="ovs-save" exe="/usr/bin/bash"
> subj=unconfined_u:system_r:openvswitch_t:s0 key=(null)
>
> type=AVC msg=audit(1413996278.049:155): avc:  denied  { open } for
> pid=3970 comm="ovs-save" path="/usr/sbin/ip" dev="dm-1" ino=67244283
> scontext=unconfined_u:system_r:openvswitch_t:s0
> tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
>
> type=AVC msg=audit(1413996278.049:155): avc:  denied  { execute_no_trans }
> for  pid=3970 comm="ovs-save" path="/usr/sbin/ip" dev="dm-1" ino=67244283
> scontext=unconfined_u:system_r:openvswitch_t:s0
> tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
>
> type=SYSCALL msg=audit(1413996278.049:155): arch=c000003e syscall=59
> success=yes exit=0 a0=1d6c670 a1=1d7ba00 a2=1d6c930 a3=7fff19957a20 items=0
> ppid=3969 pid=3970 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=pts0 ses=1 comm="ip" exe="/usr/sbin/ip"
> subj=unconfined_u:system_r:openvswitch_t:s0 key=(null)
>
>
> Thanks again,
>> fbl
>>
>>
> Thanks,
> Alex Wang,
>

More information about the dev mailing list