Bug 1561728

Summary: [OSP11] Got lots OVS daemon ERRs while starting a OVS-dpdk guest
Product: Red Hat OpenStack Reporter: Lon Hohberger <lhh>
Component: openstack-selinuxAssignee: Lon Hohberger <lhh>
Status: CLOSED ERRATA QA Contact: Udi Shkalim <ushkalim>
Severity: high Docs Contact:
Priority: high    
Version: 13.0 (Queens)CC: aconole, atragler, berrange, ctrautma, fleitner, jherrman, jhsiao, jraju, jsuchane, juzhang, ktraynor, kzhang, maxime.coquelin, mgrepl, pezhang, rbalakri, rcain, skramaja, srevivo, tredaelli, ushkalim
Target Milestone: z5Keywords: Rebase, SELinux, Triaged, ZStream
Target Release: 11.0 (Ocata)   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: openstack-selinux-0.8.14-1.el7ost Doc Type: Bug Fix
Doc Text:
Previously, the virtlogd service logged redundant AVC denial errors when a guest virtual machine was started. With this update, the virtlogd service no longer attempts to send shutdown inhibition calls to systemd, which prevents the described errors from occurring.
Story Points: ---
Clone Of: 1561711 Environment:
Last Closed: 2018-05-18 17:17:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1561711    
Bug Blocks:    

Description Lon Hohberger 2018-03-28 18:32:00 UTC
+++ This bug was initially created as a clone of Bug #1561711 +++

+++ This bug was initially created as a clone of Bug #1547250 +++

[snip]

Description of problem:

Got lots OVS daemon ERRs while starting a OVS-dpdk guest

[snip]

--- Additional comment from Jean-Tsung Hsiao on 2018-02-21 11:00:25 EST ---

Selinux could be the issue here.

On netqe19 when guest ran in CLIENT mode 2.9.0-1 fdP and qemu-kvm-rhev-2.10.0-20. If Selinux=Permissive, there was no such issue.

But, if Selinux=Enforcing, the issue happened --- lots of "truncted msg" ERRs seen in ovs-vswitchd.log.

See below for a USER_AVC.

[root@netqe19 ~]# tail -f /var/log/audit/audit.log | grep AVC
type=USER_AVC msg=audit(1519227919.365:2627): pid=1104 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=Inhibit dest=org.freedesktop.login1 spid=2650 tpid=1095 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'


2018-02-21T15:54:30.709Z|1446065|dpdk|ERR|VHOST_CONFIG: truncted msg
2018-02-21T15:54:30.709Z|1446066|dpdk|ERR|VHOST_CONFIG: vhost read message failed
2018-02-21T15:54:30.709Z|1446067|dpdk|INFO|VHOST_CONFIG: new vhost user connection is 62
2018-02-21T15:54:30.709Z|1446068|dpdk|INFO|VHOST_CONFIG: new device, handle is 0
2018-02-21T15:54:30.709Z|1446069|dpdk|INFO|VHOST_CONFIG: read message VHOST_USER_GET_FEATURES
2018-02-21T15:54:30.709Z|1446070|dpdk|INFO|VHOST_CONFIG: read message VHOST_USER_GET_PROTOCOL_FEATURES
2018-02-21T15:54:30.709Z|1446071|dpdk|INFO|VHOST_CONFIG: read message VHOST_USER_SET_PROTOCOL_FEATURES
2018-02-21T15:54:30.709Z|1446072|dpdk|INFO|VHOST_CONFIG: read message VHOST_USER_GET_QUEUE_NUM
2018-02-21T15:54:30.709Z|1446073|dpdk|ERR|VHOST_CONFIG: truncted msg

[snip]

--- Additional comment from Daniel Berrange on 2018-03-06 11:17:02 EST ---

The virNetDaemon class that's used by virtlogd (and libvirtd) calls virNetDaemonCallInhibit() when it wants to prevent shutdown of the login session. This invokes the Inhibit message on logind over DBus, hence why this AVC is triggered. 

virtlogd inhibits shutdown whenever it has a log file for a running guest open, though. So the AVC being reported here is a gap in the policy.

That said, I think we could reasonably argue that virtlogd should not try to inhibit shutdown itself. libvirtd can already inhibit shutdown when QEMU is running, if required, so virtlogd is really not adding value in this respect.

So I'd suggest we can probably just remove the inhibit logic from src/logging/log_handler.c

[snip]


Goal is to simply work around this USER_AVC while this is fixed in a future RHEL7 update.

--- Additional comment from Lon Hohberger on 2018-03-28 14:29:56 EDT ---

https://github.com/redhat-openstack/openstack-selinux/commit/bc744f2300da53e3f3b39b2b233a15a7e6197adf

Comment 6 Lon Hohberger 2018-05-10 18:18:55 UTC
/usr/share/openstack-selinux/0.8.14/tests/bz1561711 is present in openstack-selinux-0.8.14-1 and all AVC regression tests passed

Comment 9 errata-xmlrpc 2018-05-18 17:17:09 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1623