[ovs-discuss] OVS install on CentOS 7

Gregory Gee gee.developer at gmail.com
Sun Sep 14 01:41:18 UTC 2014 

   It looks like an selinux issue or something wrong with init script 
that selinux is catching.  When i changed it from Enforce to Permissive, 
it started fine.  The following was the details in the alert that got 
reported.  As I mentioned, this only occurs if you use the init scripts 
to start it.


SELinux is preventing /usr/sbin/ovsdb-server from write access on the 
directory .

*****  Plugin catchall_labels (83.8 confidence) suggests   
*******************

If you want to allow ovsdb-server to have write access on the  directory
Then you need to change the label on $FIX_TARGET_PATH
Do
# semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH'
where FILE_TYPE is one of the following: openvswitch_log_t, 
openvswitch_rw_t, openvswitch_tmp_t, openvswitch_var_lib_t, 
openvswitch_var_run_t, tmp_t, var_lib_t, var_log_t, var_run_t.
Then execute:
restorecon -v '$FIX_TARGET_PATH'


*****  Plugin catchall (17.1 confidence) suggests **************************

If you believe that ovsdb-server should be allowed write access on the  
directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ovsdb-server /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context system_u:system_r:openvswitch_t:s0
Target Context unconfined_u:object_r:etc_t:s0
Target Objects                 [ dir ]
Source                        ovsdb-server
Source Path                   /usr/sbin/ovsdb-server
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages openvswitch-2.3.0-1.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-153.el7_0.10.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                               3.10.0-123.6.3.el7.x86_64 #1 SMP Wed Aug 6
                               21:12:36 UTC 2014 x86_64 x86_64
Alert Count                   9
First Seen                    2014-08-30 15:08:18 EDT
Last Seen                     2014-09-13 21:31:59 EDT
Local ID ed5200fb-b534-4f72-b3ba-353548da4595

Raw Audit Messages
type=AVC msg=audit(1410658319.418:200): avc:  denied  { write } for  
pid=3414 comm="ovsdb-tool" name="openvswitch" dev="dm-0" ino=27570230 
scontext=system_u:system_r:openvswitch_t:s0 
tcontext=unconfined_u:object_r:etc_t:s0 tclass=dir


type=AVC msg=audit(1410658319.418:200): avc:  denied  { add_name } for  
pid=3414 comm="ovsdb-tool" name=".conf.db.~lock~" 
scontext=system_u:system_r:openvswitch_t:s0 
tcontext=unconfined_u:object_r:etc_t:s0 tclass=dir


type=AVC msg=audit(1410658319.418:200): avc:  denied  { create } for  
pid=3414 comm="ovsdb-tool" name=".conf.db.~lock~" 
scontext=system_u:system_r:openvswitch_t:s0 
tcontext=system_u:object_r:etc_t:s0 tclass=file


type=AVC msg=audit(1410658319.418:200): avc:  denied  { write } for  
pid=3414 comm="ovsdb-tool" path="/etc/openvswitch/.conf.db.~lock~" 
dev="dm-0" ino=27570223 scontext=system_u:system_r:openvswitch_t:s0 
tcontext=system_u:object_r:etc_t:s0 tclass=file


type=SYSCALL msg=audit(1410658319.418:200): arch=x86_64 syscall=open 
success=yes exit=ESRCH a0=24bc930 a1=42 a2=180 a3=7fff2a5da840 items=0 
ppid=3335 pid=3414 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ovsdb-tool 
exe=/usr/bin/ovsdb-tool subj=system_u:system_r:openvswitch_t:s0 key=(null)

Hash: ovsdb-server,openvswitch_t,etc_t,dir,write


On 03/09/2014 10:51 AM, Flavio Leitner wrote:
> On Sat, Aug 30, 2014 at 09:06:59PM -0400, Gregory Gee wrote:
>>    I know, it looks that way.  But I checked many times before running the
>> init script that no OVS processes were running.  Even shown below, the
>> ovsdb-tool to create the initial DB fails. I know at that point nothing was
>> running.  It's really odd behaviour.
>>
>> /etc/openvswitch/conf.db does not exist ... (warning).
>> Creating empty database /etc/openvswitch/conf.db ovsdb-tool: I/O error:
>> /etc/openvswitch/conf.db: failed to lock lockfile (Resource temporarily
>> unavailable)
>> [FAILED]
> Maybe it's a stale lock /etc/openvswitch/.conf*
>
> or it could a selinux issue.
>
> fbl
>
>> Greg
>>
>> On 30/08/2014 6:45 PM, Ben Pfaff wrote:
>>> On Sat, Aug 30, 2014 at 03:48:29PM -0400, Gregory Gee wrote:
>>>>    Then installed the RPM.  But when I try and start OVS, ovsdb fails
>>>> to start.
>>>>
>>>> [root at localhost ~]# /etc/init.d/openvswitch start
>>>> Starting ovsdb-server ovsdb-server: I/O error:
>>>> /etc/openvswitch/conf.db: failed to lock lockfile (Resource
>>>> temporarily unavailable)
>>>> [FAILED]
>>> This message probably means that ovsdb-server is already running.
>>> If you started it separately from the initscript, then you should kill
>>> that one before using the initscript to start it.
>> _______________________________________________
>> discuss mailing list
>> discuss at openvswitch.org
>> http://openvswitch.org/mailman/listinfo/discuss

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20140913/4fa5167b/attachment-0002.html>

More information about the discuss mailing list