[ovs-dev] '/etc/init.d/openvswitch force-reload-kmod' on RHEL7 fails,

Flavio Leitner fbl at redhat.com
Wed Oct 22 21:07:23 UTC 2014 

On Wed, Oct 22, 2014 at 11:36:26AM -0700, Alex Wang wrote:
> Just out of curiosity,
> 
> when i did 'systemctl list-units -t service --all', I could find the
> openvswitch.service entry.
> 
> but I could not find the openvswith.service file on my system.
> 
> then I did 'systemctl -l status openvswitch.service', it showed
> 
>     Loaded: loaded (/etc/rc.d/init.d/openvswitch)
> 
> seems to me that rhel7 parses the rc.d/ directory and automatically
> creates the service for openvswitch.  am I right?

No, that's just a fall back for old sysv scripts.  So, if you use
'systemctl' then it should use the old 'service' instead.

fbl


> Thanks,
> Alex Wang,
> 
> On Wed, Oct 22, 2014 at 9:51 AM, Alex Wang <alexw at nicira.com> wrote:
> 
> >
> >
> > On Wed, Oct 22, 2014 at 9:34 AM, Flavio Leitner <fbl at redhat.com> wrote:
> >
> >> On Wed, Oct 22, 2014 at 09:07:00AM -0700, Alex Wang wrote:
> >> > Thx for the reply Flavio,
> >> >
> >> > > Sorry, I was out for some days. Anyway as FYI, RHEL-7 and
> >> > > probably CentOS7 supports systemd, so we provide systemd service
> >> > > for openvswitch.  Therefore, the sysv script isn't supported.
> >> > >
> >> >
> >> >
> >> > Thanks for notify this,  just searched around, from my understanding,
> >> > systemctl dose not have subcommand for reloading the kernel module.
> >>
> >> You're correct. So far there is no such facility.
> >>
> >>
> >> > So, seems to me, the only way to reload kmod is to reboot machine...
> >> > And that way, the interface configurations are all lost.
> >> >
> >> > Do you know any workaround?
> >>
> >> Not that I know of.  So, the idea behind the reload kmod is to
> >> re-create bridge and ports too?
> >>
> >
> >
> > yes, the ovs-save (/usr/share/openvswitch/scripts/ovs-save) file is for
> > storing
> > info like link state (Ethernet addresses, up/down, ...)
> >
> > this script is invoked during reload-kmod~
> >
> >
> >
> >> > Have you run the script in permissive mode to see if fixing
> >> > > that is enough?
> >> > > I will try to reproduce in my end as well.
> >> >
> >> > Yeah, if we set selinux to permissive mode or I `semanage permissive -a
> >> > openvswith_t`... then I do not have the issue.
> >>
> >> Yeah, because then you are allowing everything.  But my question was
> >> more if there are more avc denials after that problem.  I mean, once
> >> you have fixed/skipped the first problem, likely there is a second one
> >> and so forth.  No worries, I will check myself later on.
> >>
> >
> > Here are all the logs in one execution,
> >
> > type=AVC msg=audit(1413996278.049:152): avc:  denied  { getattr } for
> > pid=3970 comm="ovs-save" path="/usr/sbin/ip" dev="dm-1" ino=67244283
> > scontext=unconfined_u:system_r:openvswitch_t:s0
> > tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
> >
> > type=SYSCALL msg=audit(1413996278.049:152): arch=c000003e syscall=4
> > success=yes exit=0 a0=1d6c670 a1=7fff19957b40 a2=7fff19957b40 a3=0 items=0
> > ppid=3969 pid=3970 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > fsgid=0 tty=pts0 ses=1 comm="ovs-save" exe="/usr/bin/bash"
> > subj=unconfined_u:system_r:openvswitch_t:s0 key=(null)
> >
> > type=AVC msg=audit(1413996278.049:153): avc:  denied  { execute } for
> > pid=3970 comm="ovs-save" name="ip" dev="dm-1" ino=67244283
> > scontext=unconfined_u:system_r:openvswitch_t:s0
> > tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
> >
> > type=SYSCALL msg=audit(1413996278.049:153): arch=c000003e syscall=21
> > success=yes exit=0 a0=1d6c670 a1=1 a2=7fff19957a70 a3=7fff19957900 items=0
> > ppid=3969 pid=3970 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > fsgid=0 tty=pts0 ses=1 comm="ovs-save" exe="/usr/bin/bash"
> > subj=unconfined_u:system_r:openvswitch_t:s0 key=(null)
> >
> > type=AVC msg=audit(1413996278.049:154): avc:  denied  { read } for
> > pid=3970 comm="ovs-save" name="ip" dev="dm-1" ino=67244283
> > scontext=unconfined_u:system_r:openvswitch_t:s0
> > tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
> >
> > type=SYSCALL msg=audit(1413996278.049:154): arch=c000003e syscall=21
> > success=yes exit=0 a0=1d6c670 a1=4 a2=7fff19957a70 a3=7fff19957900 items=0
> > ppid=3969 pid=3970 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > fsgid=0 tty=pts0 ses=1 comm="ovs-save" exe="/usr/bin/bash"
> > subj=unconfined_u:system_r:openvswitch_t:s0 key=(null)
> >
> > type=AVC msg=audit(1413996278.049:155): avc:  denied  { open } for
> > pid=3970 comm="ovs-save" path="/usr/sbin/ip" dev="dm-1" ino=67244283
> > scontext=unconfined_u:system_r:openvswitch_t:s0
> > tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
> >
> > type=AVC msg=audit(1413996278.049:155): avc:  denied  { execute_no_trans }
> > for  pid=3970 comm="ovs-save" path="/usr/sbin/ip" dev="dm-1" ino=67244283
> > scontext=unconfined_u:system_r:openvswitch_t:s0
> > tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
> >
> > type=SYSCALL msg=audit(1413996278.049:155): arch=c000003e syscall=59
> > success=yes exit=0 a0=1d6c670 a1=1d7ba00 a2=1d6c930 a3=7fff19957a20 items=0
> > ppid=3969 pid=3970 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > fsgid=0 tty=pts0 ses=1 comm="ip" exe="/usr/sbin/ip"
> > subj=unconfined_u:system_r:openvswitch_t:s0 key=(null)
> >
> >
> > Thanks again,
> >> fbl
> >>
> >>
> > Thanks,
> > Alex Wang,
> >

More information about the dev mailing list