Bug 2186278

Summary: [OVS DPDK] Encounter modprobe AVC's while configuring OVS DPDK bridge with two interfaces
Product: Red Hat Enterprise Linux Fast Datapath Reporter: Jean-Tsung Hsiao <jhsiao>
Component: openvswitch2.15Assignee: Aaron Conole <aconole>
Status: RELEASE_PENDING --- QA Contact: Jiying Qiu <jiqiu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: RHEL 9.0CC: bfubel, ctrautma, fleitner, jhsiao, ralongi
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jean-Tsung Hsiao 2023-04-12 16:27:58 UTC 
Description of problem: [OVS DPDK] Encounter modprobe AVC's while configuring OVS DPDK bridge with two interfaces

We ran kernel/networking/ovs-dpdk-selinux automation and found the following two AVC's:

++ check_AVC
+++ grep -c -w AVC /var/log/audit/audit.log
++ '[' 2 == 0 ']'
++ grep AVC /var/log/audit/audit.log
type=AVC msg=audit(1681305244.948:109): avc:  denied  { search } for  pid=9713 comm="modprobe" name="events" dev="tracefs" ino=5132 scontext=system_u:system_r:openvswitch_load_module_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1681305244.948:109): avc:  denied  { search } for  pid=9713 comm="modprobe" name="events" dev="tracefs" ino=5132 scontext=system_u:system_r:openvswitch_load_module_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
++ return 1

The check_AVC function ran right after configuring a OVS DPDK bridge. 

This modprobe AVC is related to openvswitch based on the AVC lines above. But, it seems to be benign as the brige was
built successfully --- the daemon showed no ERRs when attaching two dpdk interfaces to the brdige.

NOTE: Same AVC outputs for ixgbe, i40e, ice and mlx5 NICs --- so far I have tried these four NICs. It seems be generic.


Version-Release number of selected component (if applicable):

[root@netqe29 audit]# uname -r
5.14.0-284.10.1.el9_2.x86_64
[root@netqe29 audit]# rpm -q openvswitch2.15
openvswitch2.15-2.15.0-81.el9fdp.x86_64

How reproducible: Reproducible


Steps to Reproduce: Run kernel/networking/ovs-dpdk-selinux
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Jean-Tsung Hsiao 2023-04-12 16:30:03 UTC 
Aaron have already reviewed the two modprobe AVC's.
Comment 2 Aaron Conole 2023-05-23 20:46:37 UTC 
Please test with https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=2517138
Comment 5 Jiying Qiu 2023-08-01 06:34:45 UTC 
Verified with ovs2.15 and openvswitch-selinux-extra-policy-1.0-33.el9fdp.noarch.rpm ,there is no avc error reported.
https://beaker.engineering.redhat.com/jobs/8137977