Bug 2107705

Summary: avc: denied { write } for pid=xxxxx comm="ovs-appctl" for ovn*.ctl
Product: Red Hat Enterprise Linux Fast Datapath Reporter: Rick Alongi <ralongi>
Component: openvswitch-selinux-extra-policyAssignee: Aaron Conole <aconole>
Status: NEW --- QA Contact: Rick Alongi <ralongi>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: FDP 22.FCC: aconole, ctrautma, qding
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
audit.log none

Description Rick Alongi 2022-07-15 17:17:59 UTC
Created attachment 1897467 [details]
audit.log

Description of problem:
avc.log reporting denied  { write } for  pid=xxxxx comm="ovs-appctl" for various PIDs related to ovn processes (more details below)

Version-Release number of selected component (if applicable):
kernel: 4.18.0-305.25.1.el8_4.x86_64
openvswitch2.16-2.16.0-86.el8fdp.x86_64
openvswitch-selinux-extra-policy-1.0-29.el8fdp.noarch
ovn22.06-central-22.06.0-16.el8fdp.x86_64
ovn22.06-22.06.0-16.el8fdp.x86_64
ovn22.06-host-22.06.0-16.el8fdp.x86_64

How reproducible:


Steps to Reproduce:
1. Ran memory leak soak beaker job using Valgrind
2. avc.log in job show errors
3.

Actual results:
AVC denied messages

Expected results:
no AVC denied messages

Additional info:

Link to sample avc.log: https://beaker.engineering.redhat.com/recipes/12277391/tasks/147262824/results/687410019/logs/avc.log

Link to beaker job: https://beaker.engineering.redhat.com/jobs/6810726

Link to sosreport: http://netqe-infra01.knqe.lab.eng.bos.redhat.com/sosreports/sosreport-wsfd-advnetlab34-2022-07-15-ydsbbpp.tar.xz

Steps to configure Valgrind in test:

+ cp /etc/sysconfig/openvswitch /etc/sysconfig/openvswitch_orig
+ sedeasy 'OPTIONS=""' 'OPTIONS="--ovs-vswitchd-wrapper=valgrind"' /etc/sysconfig/openvswitch
++ echo 'OPTIONS=""'
++ sed -e 's/\([[\/.*]\|\]\)/\\&/g'
++ echo 'OPTIONS="--ovs-vswitchd-wrapper=valgrind"'
++ sed -e 's/[\/&]/\\&/g'
+ sed -i 's/OPTIONS=""/OPTIONS="--ovs-vswitchd-wrapper=valgrind"/g' /etc/sysconfig/openvswitch
+ sedeasy 'OVS_USER_ID="openvswitch:hugetlbfs"' '#OVS_USER_ID="openvswitch:hugetlbfs"' /etc/sysconfig/openvswitch
++ echo 'OVS_USER_ID="openvswitch:hugetlbfs"'
++ sed -e 's/\([[\/.*]\|\]\)/\\&/g'
++ echo '#OVS_USER_ID="openvswitch:hugetlbfs"'
++ sed -e 's/[\/&]/\\&/g'
+ sed -i 's/OVS_USER_ID="openvswitch:hugetlbfs"/#OVS_USER_ID="openvswitch:hugetlbfs"/g' /etc/sysconfig/openvswitch
+ sedeasy openvswitch:hugetlbfs root:root /run/openvswitch.useropts
++ echo openvswitch:hugetlbfs
++ sed -e 's/\([[\/.*]\|\]\)/\\&/g'
++ echo root:root
++ sed -e 's/[\/&]/\\&/g'
+ sed -i s/openvswitch:hugetlbfs/root:root/g /run/openvswitch.useropts
+ echo 'OVN_CONTROLLER_OPTS="--ovn-controller-wrapper=valgrind"'
+ echo 'OVN_NORTHD_OPTS="--ovn-northd-wrapper=valgrind --ovsdb-nb-wrapper=valgrind --ovsdb-sb-wrapper=valgrind"'
+ setenforce 0
+ systemctl restart openvswitch
+ ausearch -c memcheck-amd64- --raw
+ audit2allow -M my-memcheckamd64
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-memcheckamd64.pp

+ semodule -i my-memcheckamd64.pp
+ setenforce 1
+ rm -f /var/log/openvswitch/ovs-vswitchd.valgrind.log.14762 /var/log/openvswitch/ovs-vswitchd.valgrind.log.14767
+ systemctl restart openvswitch
+ systemctl restart ovn-controller
+ systemctl restart ovn-northd

Comment 2 Aaron Conole 2022-08-08 14:42:21 UTC
How did you get this kind of error to trigger?  Normally, we see that OVN/OVS files are tagged as:

openvswitch_var_run_t

But in the error message reported, the target context is

var_run_t

So I guess maybe there is a labeling issue?

Comment 3 Aaron Conole 2022-09-14 15:45:58 UTC
Closing for now.  Some of these steps show that there is likely a relabel issue.  For example:

+ cp /etc/sysconfig/openvswitch /etc/sysconfig/openvswitch_orig

What other copies / moves happen?  systemd ovs will create the openvswitch /var/run space as
labeled with openvswitch_var_run_t so I don't know what the script does for valgrind.

Can you put a link to the exact test script that is doing the configuration?