Bug ID 818297: OVSDB-server daemon lost permission to certs due to SELinux issue, causing SSL connection failure

Last Modified: Oct 21, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.4, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 15.0.0, 15.0.1

Opened: Aug 27, 2019
Severity: 4-Minor

Symptoms

OVSDB-server fails to make SSL connections when Selinux is enforced. In /var/log/openvswitch/ovsdb-server.log: ...|00012|stream_ssl|ERR|/config/filestore/files_d/Common_d/certificate_d/:Common:myCert_2468_1: stat failed (Permission denied).

Impact

Permission denied, SSL connection failure.

Conditions

-- Navigate to System :: Configuration : OVSDB. -- Add cert and keys.

Workaround

Step 1: Check openvswitch SELinux denial: # audit2allow -w -a Example output: type=AVC msg=audit(1566915298.607:32958): avc: denied { search } for pid=18966 comm="ovsdb-server" name="/" dev="dm-7" ino=2 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:f5config_t:s0 tclass=dir Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. Step 2: Find openvswitch components that need Linux policy additions: # audit2allow -a Example output: #============= openvswitch_t ============== allow openvswitch_t f5config_t:dir search; allow openvswitch_t f5filestore_t:dir search; allow openvswitch_t f5filestore_t:file { getattr open read }; Step 3: Modify the policy to allow access to the component openvswitch_t: # audit2allow -a -M openvswitch_t Step 4: Apply the policy: # semodule -i openvswitch_t.pp

Fix Information

None

Behavior Change