Bug 2224464

Summary: ovs-vswitch create virtio port failed when enable selinux
Product: Red Hat Enterprise Linux Fast Datapath Reporter: mhou <mhou>
Component: openvswitch-selinux-extra-policyAssignee: Aaron Conole <aconole>
Status: NEW --- QA Contact: mhou <mhou>
Severity: medium Docs Contact:
Priority: unspecified    
Version: RHEL 9.0CC: ctrautma, qding
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description mhou 2023-07-21 02:29:22 UTC 
Description of problem:
run ovs-vsctl add-port ovsbr0 g1_dpdk1 -- set interface g1_dpdk1 type=dpdk -- set interface g1_dpdk1 options:dpdk-devargs="net_virtio_user0,path=/dev/vhost-net,iface=g1_dpdk1" failed.

Version-Release number of selected component (if applicable):
openvswitch3.1-3.1.0-35.el9fdp

How reproducible:100%


Steps to Reproduce:
1. create virtio port
# systemctl start openvswitch
# ovs-vsctl set Open_vSwitch . other_config:dpdk-init=true
# ovs-vsctl add-br ovsbr0 -- set bridge ovsbr0 datapath_type=netdev
# ovs-vsctl add-port ovsbr0 g1_dpdk1 -- set interface g1_dpdk1 type=dpdk -- set interface g1_dpdk1 options:dpdk-devargs="net_virtio_user0,path=/dev/vhost-net,iface=g1_dpdk1"
2. try to import selinux policy
# grep "openvswitch_t" /var/log/audit/audit.log | audit2allow -M ovslocal
# semodule -i ovslocal.pp
# ovs-vsctl add-port ovsbr0 g1_dpdk1 -- set interface g1_dpdk1 type=dpdk -- set interface g1_dpdk1 options:dpdk-devargs="net_virtio_user0,path=/dev/vhost-net,iface=g1_dpdk1"
ovs-vsctl: Error detected while setting up 'g1_dpdk1': Error attaching device 'net_virtio_user0,path=/dev/vhost-net,iface=g1_dpdk1' to DPDK.  See ovs-vswitchd log for details.
ovs-vsctl: The default log directory is "/var/log/openvswitch".

3. check the selinux label on /dev/vhost-net
# ll -Z /dev/vhost-net 
crw-rw-rw-. 1 root kvm system_u:object_r:vhost_device_t:s0 10, 238 Jul 19 12:22 /dev/vhost-net

Actual results:
1. create port failed and see err log on ovs-vswitchd.log
2023-07-21T02:18:28.722Z|00060|dpif_netdev|INFO|PMD load based sleeps are disabled.
2023-07-21T02:18:28.727Z|00061|bridge|INFO|bridge ovsbr0: added interface ovsbr0 on port 65534
2023-07-21T02:18:28.728Z|00062|bridge|INFO|bridge ovsbr0: using datapath ID 00002e1da8e75e42
2023-07-21T02:18:28.728Z|00063|connmgr|INFO|ovsbr0: added service controller "punix:/var/run/openvswitch/ovsbr0.mgmt"
2023-07-21T02:18:53.614Z|00064|dpdk|ERR|virtio_user_backend_type(): Stat fails: /dev/vhost-net (Permission denied)
2023-07-21T02:18:53.614Z|00065|dpdk|ERR|virtio_user_pmd_probe(): unable to determine backend type for path /dev/vhost-net
2023-07-21T02:18:53.614Z|00066|dpdk|ERR|EAL: Driver cannot attach the device (net_virtio_user0)
2023-07-21T02:18:53.614Z|00067|dpdk|ERR|EAL: Failed to attach device on primary process
2023-07-21T02:18:53.614Z|00068|netdev_dpdk|WARN|Error attaching device 'net_virtio_user0,path=/dev/vhost-net,iface=g1_dpdk1' to DPDK
2023-07-21T02:18:53.614Z|00069|netdev|WARN|g1_dpdk1: could not set configuration (Invalid argument)
2023-07-21T02:18:53.614Z|00070|dpdk|ERR|Invalid port_id=1024
2023-07-21T02:19:36.099Z|00071|dpdk|ERR|vhost_kernel_setup(): fail to open /dev/vhost-net, Permission denied
2023-07-21T02:19:36.099Z|00072|dpdk|ERR|virtio_user_dev_setup(): (/dev/vhost-net) Failed to setup backend
2023-07-21T02:19:36.099Z|00073|dpdk|ERR|virtio_user_dev_init(): (/dev/vhost-net) backend set up fails
2023-07-21T02:19:36.099Z|00074|dpdk|ERR|virtio_user_pmd_probe(): virtio_user_dev_init fails
2023-07-21T02:19:36.099Z|00075|dpdk|ERR|EAL: Driver cannot attach the device (net_virtio_user0)
2023-07-21T02:19:36.099Z|00076|dpdk|ERR|EAL: Failed to attach device on primary process
2023-07-21T02:19:36.099Z|00077|netdev_dpdk|WARN|Error attaching device 'net_virtio_user0,path=/dev/vhost-net,iface=g1_dpdk1' to DPDK
2023-07-21T02:19:36.099Z|00078|netdev|WARN|g1_dpdk1: could not set configuration (Invalid argument)
2023-07-21T02:19:36.099Z|00079|dpdk|ERR|Invalid port_id=1024
2023-07-21T02:21:09.852Z|00080|dpdk|ERR|vhost_kernel_setup(): fail to open /dev/vhost-net, Permission denied
2023-07-21T02:21:09.852Z|00081|dpdk|ERR|virtio_user_dev_setup(): (/dev/vhost-net) Failed to setup backend
2023-07-21T02:21:09.852Z|00082|dpdk|ERR|virtio_user_dev_init(): (/dev/vhost-net) backend set up fails
2023-07-21T02:21:09.852Z|00083|dpdk|ERR|virtio_user_pmd_probe(): virtio_user_dev_init fails
2023-07-21T02:21:09.852Z|00084|dpdk|ERR|EAL: Driver cannot attach the device (net_virtio_user0)
2023-07-21T02:21:09.852Z|00085|dpdk|ERR|EAL: Failed to attach device on primary process
2023-07-21T02:21:09.852Z|00086|netdev_dpdk|WARN|Error attaching device 'net_virtio_user0,path=/dev/vhost-net,iface=g1_dpdk1' to DPDK
2023-07-21T02:21:09.852Z|00087|netdev|WARN|g1_dpdk1: could not set configuration (Invalid argument)
2023-07-21T02:21:09.852Z|00088|dpdk|ERR|Invalid port_id=1024


Expected results:
openvswitch-selinux should support selinux label with virtio tap device

Additional info: