Bug 2203585
| Summary: | Missing /sys/kernel/debug/tracing/events/openvswitch directory | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux Fast Datapath | Reporter: | Gregor Jurgele <gregor.jurgele> |
| Component: | openvswitch-selinux-extra-policy | Assignee: | Aaron Conole <aconole> |
| Status: | NEW --- | QA Contact: | Jean-Tsung Hsiao <jhsiao> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | RHEL 9.0 | CC: | ctrautma, qding |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
The below patch from openvswitch-selinux-extra-policy-1.0-30.el8fdp.src.rpm is missing from openvswitch-selinux-extra-policy-1.0-31.el9fdp.src.rpm:
diff -upr a/openvswitch-custom.te b/openvswitch-custom.te
--- a/openvswitch-custom.te 2022-02-02 10:55:06.376845429 -0500
+++ b/openvswitch-custom.te 2022-02-02 11:33:48.025800257 -0500
@@ -38,6 +38,7 @@ require {
type sssd_var_lib_t;
type sysfs_t;
type systemd_unit_file_t;
+ type tracefs_t;
type tun_tap_device_t;
type hugetlbfs_t;
@@ -163,6 +164,8 @@ allow openvswitch_load_module_t sysfs_t:
allow openvswitch_load_module_t sysfs_t:file { open read };
allow openvswitch_load_module_t sysfs_t:lnk_file { read open };
allow openvswitch_load_module_t systemd_unit_file_t:dir getattr;
+allow openvswitch_load_module_t tracefs_t:dir { search getattr open read };
+allow openvswitch_load_module_t tracefs_t:file { map getattr open read };
# no need to grant search permissions for this - and no need to emit
# an error, either.
---
brewweb.engineering.redhat.com does not resolve to an IP for me. |
Description of problem: Directory /sys/kernel/debug/tracing/events/openvswitch not created on system start when SELinux set to enforcing. Version-Release number of selected component (if applicable): openvswitch-selinux-extra-policy.noarch 1.0-31.el9fdp @fast-datapath-for-rhel-9-x86_64-rpms openvswitch2.17.x86_64 2.17.0-77.el9fdp @fast-datapath-for-rhel-9-x86_64-rpms How reproducible: Always Steps to Reproduce: 1. RHEL 9.2 minimal install 2. sudo subscription-manager repos --enable=fast-datapath-for-rhel-9-x86_64-rpms 3. sudo dnf install openvswitch-selinux-extra-policy openvswitch2.17 4. sudo reboot Actual results: Missing directory /sys/kernel/debug/tracing/events/openvswitch and directories beneath Expected results: Directory /sys/kernel/debug/tracing/events/openvswitch present and not empty Additional info: When SELinux is set to permissive the directory is created. /var/log/messages: May 14 11:04:53 test systemd[1]: Starting Open vSwitch Forwarding Unit... May 14 11:04:53 test kernel: Failed to create system directory openvswitch May 14 11:04:53 test kernel: Failed to create system directory openvswitch May 14 11:04:53 test kernel: openvswitch: Open vSwitch switching datapath May 14 11:04:53 test ovs-ctl[720]: Inserting openvswitch module. May 14 11:04:53 test ovs-ctl[689]: Starting ovs-vswitchd. May 14 11:04:53 test ovs-vsctl[767]: ovs|00001|vsctl|INFO|Called as ovs-vsctl --no-wait add Open_vSwitch . external-ids hostname=test.local May 14 11:04:53 test ovs-ctl[689]: Enabling remote OVSDB managers. May 14 11:04:53 test systemd[1]: Started Open vSwitch Forwarding Unit. /var/log/audit/audit.log: type=AVC msg=audit(1684055093.767:25): avc: denied { search } for pid=725 comm="modprobe" name="events" dev="tracefs" ino=35 scontext=system_u:system_r:openvswitch_load_module_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1684055093.767:25): avc: denied { search } for pid=725 comm="modprobe" name="events" dev="tracefs" ino=35 scontext=system_u:system_r:openvswitch_load_module_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0