Last Modified: May 29, 2024
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1
Fixed In:
16.0.0, 15.1.10
Opened: Aug 27, 2019 Severity: 4-Minor
OVSDB-server fails to make SSL connections when Selinux is enforced. In /var/log/openvswitch/ovsdb-server.log: ...|00012|stream_ssl|ERR|/config/filestore/files_d/Common_d/certificate_d/:Common:myCert_2468_1: stat failed (Permission denied).
Permission denied, SSL connection failure.
-- Navigate to System :: Configuration : OVSDB. -- Add cert and keys.
Step 1: Check openvswitch SELinux denial: # audit2allow -w -a Example output: type=AVC msg=audit(1566915298.607:32958): avc: denied { search } for pid=18966 comm="ovsdb-server" name="/" dev="dm-7" ino=2 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:f5config_t:s0 tclass=dir Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. Step 2: Find openvswitch components that need Linux policy additions: # audit2allow -a Example output: #============= openvswitch_t ============== allow openvswitch_t f5config_t:dir search; allow openvswitch_t f5filestore_t:dir search; allow openvswitch_t f5filestore_t:file { getattr open read }; Step 3: Modify the policy to allow access to the component openvswitch_t: # audit2allow -a -M openvswitch_t Step 4: Apply the policy: # semodule -i openvswitch_t.pp
SELinux policy rules for openvswitch module have been added.