-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-9.6
-
None
-
No
-
None
-
rhel-image-mode
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
-
x86_64
-
None
What were you trying to do that didn't work?
rpm-ostree install openvswitch, but openvswitch service didn't work. Selinux raise deny log as below:
Mar 19 06:48:09 dell-per740-60.rhts.eng.pek2.redhat.com ovs-ctl[23463]: /usr/share/openvswitch/scripts/ovs-lib: line 552: /usr/share/openvswitch/scripts/ovs-kmod-ctl: Permission denied
6:50
type=AVC msg=audit(1742381290.815:193): avc: denied { getattr } for pid=23590 comm="ovs-ctl" path="/usr/share/openvswitch/scripts/ovs-kmod-ctl" dev="overlay" ino=204451002 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon="system_u:object_r:op
envswitch_load_module_exec_t:s0"
What is the impact of this issue to you?
rpm-ostree install openvswitch but didn't start openvswitch service
Please provide the package NVR for which the bug is seen:
rpm-ostree-2025.5-1.el9.x86_64
selinux-policy-38.1.53-2.el9.noarch
How reproducible is this bug?: 100%
Steps to reproduce
- run below command
[root@dell-per740-60 ~]# ls /etc | grep openv [root@dell-per740-60 ~]# rpm-ostree -Ay install http://download.devel.redhat.com/brewroot/packages/openvswitch-selinux-extra-policy/1.0/36.el9fdp/noarch/openvswitch-selinux-extra-policy-1.0-36.el9fdp.noarch.rpm [root@dell-per740-60 ~]# rpm-ostree -Ay install https://download.devel.redhat.com/brewroot/vol/rhel-9/packages/openvswitch3.4/3.4.2/58.el9fdp/x86_64/openvswitch3.4-3.4.2-58.el9fdp.x86_64.rpm [root@dell-per740-60 ~]# systemctl start openvswitch A dependency job for openvswitch.service failed. See 'journalctl -xe' for details. [root@dell-per740-60 ~]# ll /etc/openvswitch/default.conf -rw-r--r--. 1 openvswitch openvswitch 163 Mar 19 06:31 /etc/openvswitch/default.conf
Expected results
start openvswitch service well
Actual results
start openvswitch service failed
Check the selinux log as below:
Mar 19 06:48:09 dell-per740-60.rhts.eng.pek2.redhat.com ovs-ctl[23463]: /usr/share/openvswitch/scripts/ovs-lib: line 552: /usr/share/openvswitch/scripts/ovs-kmod-ctl: Permission denied
6:50
type=AVC msg=audit(1742381290.815:193): avc: denied { getattr } for pid=23590 comm="ovs-ctl" path="/usr/share/openvswitch/scripts/ovs-kmod-ctl" dev="overlay" ino=204451002 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon="system_u:object_r:op
envswitch_load_module_exec_t:s0"
Try to unlock overlay and re-labe selinux but failed
[root@dell-per740-60 ~]# bootc usroverlay error: Deployment is already in unlocked state: transient [root@dell-per740-60 ~]# rpm-ostree usroverlay error: Deployment is already in unlocked state: transient [root@dell-per740-60 ~]# restorecon -Rv /usr restorecon: Could not set context for /usr/libexec/flatpak-system-helper: Read-only file system restorecon: Could not set context for /usr/share/openvswitch/scripts/ovs-kmod-ctl: Read-only file system
Compare rhel10 and rhel9 selinux label of /usr/share/openvswitch/scripts/ovs-kmod-ctl
rhel9.6
[root@dell-per740-60 ~]# uname -r 5.14.0-570.el9.x86_64 [root@dell-per740-60 ~]# ls -laZ /usr/share/openvswitch/scripts/ovs-kmod-ctl -rwxr-xr-x. 1 root root system_u:object_r:unlabeled_t:s0 6099 Mar 19 06:31 /usr/share/openvswitch/scripts/ovs-kmod-ctl
rhel10.0
[root@dell-per740-10 topo]# uname -r 6.12.0-55.2.1.el10_0.x86_64 [root@dell-per740-10 topo]# ls -laZ /usr/share/openvswitch/scripts/ovs-kmod-ctl -rwxr-xr-x. 1 root root system_u:object_r:openvswitch_load_module_exec_t:s0 6099 Dec 31 1969 /usr/share/openvswitch/scripts/ovs-kmod-ctl