On Mon, Oct 20, 2014 at 06:03:26PM -0700, Alex Wang wrote: > Hey Flavio, > > We found when set selinux 'enforcing' on RHEL7/CentOS7, > The init.d script command 'force-reload-kmod' cannot work properly: > Shown below: > > [root@ovs_team_rhel7]# /etc/init.d/openvswitch force-reload-kmod > > Detected internal interfaces: [ OK ] > Saving flows [ OK ] > Killing ovsdb-server (11131) [ OK ] > Starting ovsdb-server [ OK ] > Configuring Open vSwitch system IDs [ OK ] > Killing ovs-vswitchd (11146) [ OK ] > *Saving interface configuration /usr/share/openvswitch/scripts/ovs-save: ip > not found in /* > *sbin:/usr/sbin:/bin:/usr/bin* > *[FAILED]* > *Failed to save configuration, not replacing kernel module ... (warning).* > Starting ovs-vswitchd [ OK ] > Enabling remote OVSDB managers [ OK ] > > > The reason seems to be that domain openvswitch_t does not have right > to access /usr/sbin/ => that's why ovs-save reports 'ip not found' > > We are using the latest selinux-policy: > http://rpmfind.net//linux/RPM/centos/updates/7.0.1406/x86_64/Packages/selinux-policy-3.12.1-153.el7_0.11.noarch.html > > We are using kernel: 3.10.0-123.8.1.el7.x86_64 > > I checked the selinux-policy-doc, it should support openvswitch running > shell long > ago... > > * Fri Apr 05 2013 Miroslav Grepl <[email protected]> 3.12.1-26 > - Try to label on controlC devices up to 30 correctly > ...... > > - Allow openvswitch to execute shell > > > So, could you help us check and maybe try if you could reproduce it > yourself?
Sorry, I was out for some days. Anyway as FYI, RHEL-7 and probably CentOS7 supports systemd, so we provide systemd service for openvswitch. Therefore, the sysv script isn't supported. Have you run the script in permissive mode to see if fixing that is enough? I will try to reproduce in my end as well. Thanks for the report, fbl _______________________________________________ dev mailing list [email protected] http://openvswitch.org/mailman/listinfo/dev
