Bug 2169463

Summary: avc: denied { write } for pid=xxxxx comm="ovs-appctl" for ovn*.ctl
Product: Red Hat Enterprise Linux Fast Datapath Reporter: Rick Alongi <ralongi>
Component: openvswitch-selinux-extra-policyAssignee: Aaron Conole <aconole>
Status: NEW --- QA Contact: Rick Alongi <ralongi>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: FDP 23.ACC: ctrautma, qding
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
audit.log none

Description Rick Alongi 2023-02-13 16:34:39 UTC
Created attachment 1943865 [details]
audit.log

Description of problem:

***NOTE:***This appears to be the same issue tracked for RHEL-8 in https://bugzilla.redhat.com/show_bug.cgi?id=2107705.

avc.log reporting denied  { write } for  pid=xxxxx comm="ovs-appctl" for various PIDs related to ovn processes (more details below)


Version-Release number of selected component (if applicable):

kernel: 5.14.0-239.el9.x86_64
openvswitch-selinux-extra-policy-1.0-31.el9fdp.noarch
openvswitch3.0-3.0.0-27.el9fdp.x86_64
ovn22.09-22.09.0-31.el9fdp.x86_64
ovn22.09-central-22.09.0-31.el9fdp.x86_64
ovn22.09-host-22.09.0-31.el9fdp.x86_64


How reproducible:


Steps to Reproduce:
1. Ran memory leak soak beaker job using Valgrind
2. avc.log in job show errors
3.

Actual results:
AVC denied messages

Expected results:
no AVC denied messages

Additional info:

audit.log attached.

Link to sample AVC log from beaker job:
https://beaker-archive.hosts.prod.psi.bos.redhat.com/beaker-logs/2023/01/74728/7472872/13296060/155487890/725124741/avc.log

Link to beaker job:
https://beaker.engineering.redhat.com/jobs/7472872

Link to sos report:
http://netqe-infra01.knqe.lab.eng.bos.redhat.com/sosreports/sosreport-wsfd-advnetlab34-2023-02-13-tullxvh.tar.xz

Link to test script:
https://gitlab.cee.redhat.com/kernel-qe/kernel/-/blob/master/networking/openvswitch/memory_leak_soak/runtest.sh

Link to location in test script where Valgrind is configured:
https://gitlab.cee.redhat.com/kernel-qe/kernel/-/blob/master/networking/openvswitch/memory_leak_soak/runtest.sh#L308