This epic tracks all the effort needed to deliver the solution related to the bug described below.

 Problem Description: Clearly explain the issue.

AVC denials are asserted in ovn-appctl  for all OVN services during memory_leak_soak test.  Per analysis from Claude:

1. 1. Executive Summary

All AVC denials in this log stem from a {}single root cause{}: the OVN (Open Virtual Network) logrotate script attempting to communicate with OVN daemon control sockets while running in the `logrotate_t` SELinux domain. The OVN services are running as `unconfined_service_t`, and SELinux policy does not permit this cross-domain socket connection.

 Impact Assessment: Describe the severity and impact (e.g., network down,availability of a workaround, etc.).

Per Claude analysis:

1. 1. 1. Impact

• {}Severity:{} Medium
• {}Functional Impact:{} Log rotation for OVN services fails to trigger daemon log reopening
• {}Security Impact:{} None (denial is appropriate security behavior)
• {}Occurrence:{} Daily at midnight (logrotate cron schedule)

   Software Versions: Specify the exact versions in use (e.g.,openvswitch3.1-3.1.0-147.el8fdp).

openvswitch-selinux-extra-policy-1.0-39.el9fdp.noarch
openvswitch3.6-3.6.0-12.el9fdp.x86_64
ovn25.09-25.09.1-25.el9fdp.x86_64
ovn25.09-central-25.09.1-25.el9fdp.x86_64
ovn25.09-host-25.09.1-25.el9fdp.x86_64
openvswitch3.6-debuginfo-3.6.0-12.el9fdp.x86_64
ovn25.09-debuginfo-25.09.1-25.el9fdp.x86_64
ovn25.09-central-debuginfo-25.09.1-25.el9fdp.x86_64
ovn25.09-host-debuginfo-25.09.1-25.el9fdp.x86_64

  Issue Type: Indicate whether this is a new issue or a regression (if a regression, state the last known working version).

This is not a regression.  This was also observed in a previous memory_leak_soak job run using the versions referenced below but bo bug was filed at that time:

openvswitch-selinux-extra-policy-1.0-39.el9fdp.noarch
openvswitch3.3-3.3.4-110.el9fdp.x86_64
ovn24.03-24.03.5-40.el9fdp.x86_64
ovn24.03-central-24.03.5-40.el9fdp.x86_64
ovn24.03-host-24.03.5-40.el9fdp.x86_64
openvswitch3.3-debuginfo-3.3.4-110.el9fdp.x86_64
ovn24.03-debuginfo-24.03.5-40.el9fdp.x86_64
ovn24.03-central-debuginfo-24.03.5-40.el9fdp.x86_64
ovn24.03-host-debuginfo-24.03.5-40.el9fdp.x86_64

 Reproducibility: Confirm if the issue can be reproduced consistently. If not, describe how often it occurs.

Always reproducible when running memory_leak_soak test.

 Reproduction Steps: Provide detailed steps or scripts to replicate the issue.

In theory, this should be reproducible by maually running the ovn log rotate script using: logrotate -vf /etc/logrotate.d/ovn

However, this didn't repro the issue when I tested it.

 Expected Behavior: Describe what should happen under normal circumstances.

No AVC denials are asserted.

 Observed Behavior: Explain what actually happens.

During long term memory_leak_soak testing.

 Troubleshooting Actions: Outline the steps taken to diagnose or resolve the issue so far.

Ran analysis using Claude (analysis files attached to this ticket).  

Note: Claude recommended the steps below as an alternate way to avoid the AVC denials.  I added the steps to the test script but the AVC denials persisted:

1. 1. 1. Create and install ovn_logrotate policy module to address AVC denials
         cat > /tmp/ovn_logrotate.te << 'EOF'
         module ovn_logrotate 1.0;
         require { type logrotate_t; type openvswitch_var_run_t; class sock_file write; }

         allow logrotate_t openvswitch_var_run_t:sock_file write;
         EOF
          
         checkmodule -M -m -o /tmp/ovn_logrotate.mod /tmp/ovn_logrotate.te
         semodule_package -o /tmp/ovn_logrotate.pp -m /tmp/ovn_logrotate.mod
         semodule -i /tmp/ovn_logrotate.pp

          Logs: If you collected logs please provide them (e.g. sos report, /var/log/openvswitch/* , testpmd console)

sos report RHEL-10: http://netqe-infra01.knqe.eng.rdu2.dc.redhat.com/sosreports/sosreport-wsfd-advnetlab34-2026-02-11-aesuweb.tar.xz

sos report RHEL-9: http://netqe-infra01.knqe.eng.rdu2.dc.redhat.com/sosreports/sosreport-wsfd-advnetlab33-2026-01-27-bvlynkf.tar.xz