How to Handle SELinux Denials on Default Temp Dir

[eggfoobar]

Hey folks, when using the microshift plugin, we see some SELinux denials when we use the default folder of /var/tmp, changing the temp dir with --tmp-dir to something like /tmp solves the issue, but I was wondering if we should be shipping a solution to this with our plugin for the default behavior?

type=AVC msg=audit(1696227229.107:8490): avc:  denied  { write } for  pid=22413 comm="ovs-appctl" path="/var/tmp/sos.oq1u66ua/sosreport-dhcp-1-235-95-2023-10-02-bnfjcyw/sos_commands/microshift_ovn/ovs-appctl_-t_.var.run.ovn.ovnnb_db.ctl_coverage.show" dev="dm-0" ino=1804675 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0

[TurboTurtle]

Well we definitely don't want to have any plugins generating AVC denials out of the box. The curious thing to me is why we're only seeing this here. We make many calls to ovs-appctl in other plugins (openvswitch, ovn_central, openshift_ovn), and so far we've not had a report of this.

What's the environment this is being run in? Does the openvswitch plugin also get enabled in a microshift environment, and if so are there any other denials being seen with that plugin?

[pmoravec]

Why execution of

ovs-appctl -t /var/run/ovn/ovnnb_db.ctl coverage/show

command can't write to /var/tmp, where SELinux should allow (almost?) anything? That sounds strange to me..

[eggfoobar]

Yeah agreed, I'm currently getting access to the system this is happening in. As you've stated this shouldn't be happening since there's allow rules for this action already in place.