Bug 1380114 - RFE: OVS-dpdk daemon won't start due to AVC denial with SELINUX=enforcing
Summary: RFE: OVS-dpdk daemon won't start due to AVC denial with SELINUX=enforcing
Keywords:
Status: CLOSED DUPLICATE of bug 1397537
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openvswitch
Version: 7.3
Hardware: x86_64
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Aaron Conole
QA Contact: Jean-Tsung Hsiao
URL:
Whiteboard:
Depends On:
Blocks: 1325680
TreeView+ depends on / blocked
 
Reported: 2016-09-28 17:15 UTC by Jean-Tsung Hsiao
Modified: 2016-12-06 08:57 UTC (History)
19 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-12-06 08:57:18 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Jean-Tsung Hsiao 2016-09-28 17:15:30 UTC 
Description of problem: RFE: OVS-dpdk  daemon won't start due to AVC denial with SELINUX=enforcing

Currently, In a dpdk environment OVS daemon won't start with SELINUX=enforcing as it gets AVC denial:

type=AVC msg=audit(1475082194.788:1788): avc:  denied  { read write } for  pid=64221 comm="ovs-vswitchd" name="vfio" dev="devtmpfs" ino=396 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:vfio_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1475082194.788:1788): arch=c000003e syscall=2 success=no exit=-13 a0=7fbdfb2ddcd0 a1=2 a2=7fbdf9a6f7b8 a3=7fbdf97e89d0 items=0 ppid=64104 pid=64221 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ovs-vswitchd" exe="/usr/sbin/ovs-vswitchd" subj=system_u:system_r:openvswitch_t:s0 key=(null)
type=SERVICE_START msg=audit(1475082204.498:1789): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=openvswitch-nonetwork comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1475082204.502:1790): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=openvswitch comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' 

This BZ is to request an enhancement so that the daemon will start with SELINUX=enforcing.
 

Version-Release number of selected component (if applicable):
[root@netqe5 audit]# rpm -qa | grep openvswitch
openvswitch-2.5.0-5.git20160628.el7fdb.x86_64
[root@netqe5 audit]# uname -a
Linux netqe5.knqe.lab.eng.bos.redhat.com 3.10.0-510.el7.x86_64 #1 SMP Wed Sep 21 14:44:14 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux

How reproducible:reproducible


Steps to Reproduce:
The following steps need to be done in dpdk environment.
1.setenforce 1
2.systemctl start openvswitch
3.

Actual results:


Expected results:


Additional info:
Comment 2 Thadeu Lima de Souza Cascardo 2016-09-28 17:29:10 UTC 
Do you have selinux-policy installed?

Thanks.
Cascardo.
Comment 3 Aaron Conole 2016-09-28 19:03:26 UTC 
This request needs to be satisfied by updating the selinux targetted package, iirc.  I have one update ready to go, but we will need to run a few different devices and scenarios to make sure that we capture all of the cases.  UIO, VFIO, and vhost-user are the ones I'm thinking.  I will obtain captures and try to write up a patch for the targetted policy in the next week.
Comment 10 Aaron Conole 2016-11-21 16:01:57 UTC 
I believe the following selinux policy should cover vfio and vhost-user, but you'll need to test.  Also note that for vhost-user changes, you'll definitely need a change to the libvirt policy.  I haven't tested with uio.  Not sure how to get this into the selinux-policy or whether we should ship it as part of the ovs package (flavio / anita?)


module openvswitch-policy 1.0.1;

require {
        type openvswitch_t;
        type openvswitch_tmp_t;
        type openvswitch_var_run_t;
        type ifconfig_exec_t;
        type hostname_exec_t;
        type vfio_device_t;
        type kernel_t;
        type tun_tap_device_t;
        type hugetlbfs_t;
        type init_t;
        class netlink_socket { setopt getopt create connect getattr write read };
        class file { write getattr read open execute execute_no_trans create unlink };
        class chr_file { write getattr read open ioctl };
        class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom };
        class dir { write remove_name add_name lock read };
}

#============= openvswitch_t ==============
allow openvswitch_t self:netlink_socket { setopt getopt create connect getattr write read };
allow openvswitch_t hostname_exec_t:file { read getattr open execute execute_no_trans };
allow openvswitch_t ifconfig_exec_t:file { read getattr open execute execute_no_trans };
allow openvswitch_t openvswitch_tmp_t:file { execute execute_no_trans };
allow openvswitch_t openvswitch_tmp_t:unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom };
allow openvswitch_t vfio_device_t:chr_file { read write open ioctl getattr };
allow openvswitch_t tun_tap_device_t:chr_file { read write getattr open ioctl };
allow openvswitch_t hugetlbfs_t:dir { write remove_name add_name lock read };
allow openvswitch_t hugetlbfs_t:file { create unlink };
allow openvswitch_t kernel_t:unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom };
allow openvswitch_t init_t:file { read open };
Comment 12 Maxim Babushkin 2016-11-22 12:15:58 UTC 
Hi Lukas,

The AVC denials posted on comment #5.
In additional, the selinux troubleshooter output attached for all 4 AVC denials.

Thanks,
Maxim.
Comment 14 Maxim Babushkin 2016-11-22 14:47:56 UTC 
Hi Lukas,

Ok. I'll try it and then post the results.

Thanks,
Maxim.
Comment 15 Maxim Babushkin 2016-12-06 08:57:18 UTC 

*** This bug has been marked as a duplicate of bug 1397537 ***
Note You need to log in before you can comment on or make changes to this bug.