Bug ID 818297: OVSDB-server daemon lost permission to certs due to SELinux issue, causing SSL connection failure

Last Modified: Sep 29, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 14.1.5,,, 15.0.0, 15.0.1,,,,, 15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 15.1.4,, 15.1.5,, 15.1.6,, 15.1.7

Fixed In:

Opened: Aug 27, 2019
Severity: 4-Minor


OVSDB-server fails to make SSL connections when Selinux is enforced. In /var/log/openvswitch/ovsdb-server.log: ...|00012|stream_ssl|ERR|/config/filestore/files_d/Common_d/certificate_d/:Common:myCert_2468_1: stat failed (Permission denied).


Permission denied, SSL connection failure.


-- Navigate to System :: Configuration : OVSDB. -- Add cert and keys.


Step 1: Check openvswitch SELinux denial: # audit2allow -w -a Example output: type=AVC msg=audit(1566915298.607:32958): avc: denied { search } for pid=18966 comm="ovsdb-server" name="/" dev="dm-7" ino=2 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:f5config_t:s0 tclass=dir Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. Step 2: Find openvswitch components that need Linux policy additions: # audit2allow -a Example output: #============= openvswitch_t ============== allow openvswitch_t f5config_t:dir search; allow openvswitch_t f5filestore_t:dir search; allow openvswitch_t f5filestore_t:file { getattr open read }; Step 3: Modify the policy to allow access to the component openvswitch_t: # audit2allow -a -M openvswitch_t Step 4: Apply the policy: # semodule -i openvswitch_t.pp

Fix Information

SELinux policy rules for openvswitch module have been added.

Behavior Change