1535196 – Got mtu AVC when adding MLX5 dpdk to OVS

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1535196 - Got mtu AVC when adding MLX5 dpdk to OVS

Summary: Got mtu AVC when adding MLX5 dpdk to OVS

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.5
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1535202 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-01-16 19:59 UTC by Jean-Tsung Hsiao
Modified:	2018-04-10 12:50 UTC (History)
CC List:	15 users (show)
Fixed In Version:	selinux-policy-3.13.1-187.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-10 12:49:36 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:0763	0	None	None	None	2018-04-10 12:50:32 UTC

Description Jean-Tsung Hsiao 2018-01-16 19:59:57 UTC

Description of problem: Got mtu AVC when adding MLX5 dpdk to OVS

*** AVC encountered ***
type=AVC msg=audit(1516131650.857:661): avc:  denied  { write } for  pid=23322 comm="ovs-vswitchd" name="mtu" dev="sysfs" ino=58581 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file


*** Corresponding ovs-vswitchd log messages ***
2018-01-16T19:40:50.858Z|00091|dpdk|WARN|PMD: net_mlx5: cannot set port 1 MTU to 1500: Permission denied
2018-01-16T19:40:50.858Z|00092|netdev_dpdk|ERR|Interface dpdk-10 MTU (1500) setup error: Permission denied
2018-01-16T19:40:50.858Z|00093|netdev_dpdk|ERR|Interface dpdk-10(rxq:1 txq:5) configure error: Permission denied
2018-01-16T19:40:50.858Z|00094|dpif_netdev|ERR|Failed to set interface dpdk-10 new configuration
2018-01-16T19:40:50.858Z|00095|bridge|WARN|could not add network device dpdk-10 to ofproto (No such device)

Version-Release number of selected component (if applicable):
[root@netqe24 ~]# uname -a
Linux netqe24.knqe.lab.eng.bos.redhat.com 3.10.0-825.el7.x86_64 #1 SMP Tue Dec 26 21:14:27 EST 2017 x86_64 x86_64 x86_64 GNU/Linux
[root@netqe24 ~]# rpm -q openvswitch
openvswitch-2.9.0-0.3.20171212git6625e43.el7fdb.x86_64
[root@netqe24 ~]# rpm -q selinux-policy
selinux-policy-3.13.1-185.el7.noarch


How reproducible: Reproducible


Steps to Reproduce:
1. Setenforce 1
2. Start Openvswitch
3. Config an OVS-dpdk bridge with MLX5 dpdk interfaces

Actual results:


Expected results:


Additional info:

Comment 2 Milos Malik 2018-01-17 07:04:20 UTC

Could you re-run the reproducer in permissive mode and collect all SELinux denials?

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

Thank you

Comment 3 Lukas Vrabec 2018-01-17 10:14:18 UTC

*** Bug 1535202 has been marked as a duplicate of this bug. ***

Comment 4 Jean-Tsung Hsiao 2018-01-17 16:26:31 UTC

(In reply to Milos Malik from comment #2)
> Could you re-run the reproducer in permissive mode and collect all SELinux
> denials?
> 
> # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today
> 
> Thank you

Here you go:

[root@netqe24 mlx5-loopback]# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today
----
type=PROCTITLE msg=audit(01/17/2018 11:24:03.114:1831) : proctitle=ovs-vswitchd unix:/var/run/openvswitch/db.sock -vconsole:emer -vsyslog:err -vfile:info --mlockall --user root:root --no-chdir -- 
type=SYSCALL msg=audit(01/17/2018 11:24:03.114:1831) : arch=x86_64 syscall=open success=no exit=EPERM(Operation not permitted) a0=0x56056e3d8c10 a1=O_RDONLY a2=0x4f a3=0x7f825fc6ed60 items=0 ppid=95787 pid=95788 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ovs-vswitchd exe=/usr/sbin/ovs-vswitchd subj=system_u:system_r:openvswitch_t:s0 key=(null) 
type=AVC msg=audit(01/17/2018 11:24:03.114:1831) : avc:  denied  { open } for  pid=95788 comm=ovs-vswitchd path=/dev/cpu/0/msr dev="devtmpfs" ino=2132 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:cpu_device_t:s0 tclass=chr_file 
type=AVC msg=audit(01/17/2018 11:24:03.114:1831) : avc:  denied  { read } for  pid=95788 comm=ovs-vswitchd name=msr dev="devtmpfs" ino=2132 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:cpu_device_t:s0 tclass=chr_file 
----
type=PROCTITLE msg=audit(01/17/2018 11:24:04.018:1832) : proctitle=ovs-vswitchd unix:/var/run/openvswitch/db.sock -vconsole:emer -vsyslog:err -vfile:info --mlockall --user root:root --no-chdir -- 
type=SYSCALL msg=audit(01/17/2018 11:24:04.018:1832) : arch=x86_64 syscall=open success=yes exit=31 a0=0x7ffdeb288a30 a1=O_WRONLY|O_CREAT|O_TRUNC a2=0666 a3=0x24 items=0 ppid=95787 pid=95788 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ovs-vswitchd exe=/usr/sbin/ovs-vswitchd subj=system_u:system_r:openvswitch_t:s0 key=(null) 
type=AVC msg=audit(01/17/2018 11:24:04.018:1832) : avc:  denied  { write } for  pid=95788 comm=ovs-vswitchd name=flags dev="sysfs" ino=58582 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file 
----
type=PROCTITLE msg=audit(01/17/2018 11:25:13.810:1837) : proctitle=ovs-vswitchd unix:/var/run/openvswitch/db.sock -vconsole:emer -vsyslog:err -vfile:info --mlockall --user root:root --no-chdir -- 
type=SYSCALL msg=audit(01/17/2018 11:25:13.810:1837) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x7ffdeb288c92 a1=0x7ffdeb288d00 a2=0x7ffdeb288d00 a3=0x2 items=0 ppid=1 pid=95788 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ovs-vswitchd exe=/usr/sbin/ovs-vswitchd subj=system_u:system_r:openvswitch_t:s0 key=(null) 
type=AVC msg=audit(01/17/2018 11:25:13.810:1837) : avc:  denied  { getattr } for  pid=95788 comm=ovs-vswitchd path=/var/tmp/net_mlx5_85 dev="dm-0" ino=34307762 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file 
----
type=PROCTITLE msg=audit(01/17/2018 11:25:13.810:1838) : proctitle=ovs-vswitchd unix:/var/run/openvswitch/db.sock -vconsole:emer -vsyslog:err -vfile:info --mlockall --user root:root --no-chdir -- 
type=SYSCALL msg=audit(01/17/2018 11:25:13.810:1838) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x7ffdeb288c92 a1=0x7ffdeb288d00 a2=0x7ffdeb288d00 a3=0x2 items=0 ppid=1 pid=95788 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ovs-vswitchd exe=/usr/sbin/ovs-vswitchd subj=system_u:system_r:openvswitch_t:s0 key=(null) 
type=AVC msg=audit(01/17/2018 11:25:13.810:1838) : avc:  denied  { unlink } for  pid=95788 comm=ovs-vswitchd name=net_mlx5_85 dev="dm-0" ino=34307762 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file 
----
type=PROCTITLE msg=audit(01/17/2018 11:25:13.810:1839) : proctitle=ovs-vswitchd unix:/var/run/openvswitch/db.sock -vconsole:emer -vsyslog:err -vfile:info --mlockall --user root:root --no-chdir -- 
type=SYSCALL msg=audit(01/17/2018 11:25:13.810:1839) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x55 a1=0x7ffdeb288c90 a2=0x6e a3=0x2 items=0 ppid=1 pid=95788 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ovs-vswitchd exe=/usr/sbin/ovs-vswitchd subj=system_u:system_r:openvswitch_t:s0 key=(null) 
type=AVC msg=audit(01/17/2018 11:25:13.810:1839) : avc:  denied  { create } for  pid=95788 comm=ovs-vswitchd name=net_mlx5_85 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file 
[root@netqe24 mlx5-loopback]#

Comment 12 Jean-Tsung Hsiao 2018-02-06 16:32:58 UTC

*** Issue is not fixed on my test bed --- Change status back to ASSIGNED ***

There are no AVC's any more. But, /var/log/openvswitch/ovs-vswitchd.log shows some "Permission denied".

2018-02-06T16:19:14.912Z|00056|memory|INFO|44036 kB peak resident set size after 104.4 seconds
2018-02-06T16:19:20.428Z|00001|vlog|INFO|opened log file /var/log/openvswitch/ovs-vswitchd.log
2018-02-06T16:19:20.437Z|00002|ovs_numa|INFO|Discovered 24 CPU cores on NUMA node 0
2018-02-06T16:19:20.437Z|00003|ovs_numa|INFO|Discovered 24 CPU cores on NUMA node 1
2018-02-06T16:19:20.437Z|00004|ovs_numa|INFO|Discovered 2 NUMA nodes and 48 CPU cores
2018-02-06T16:19:20.437Z|00005|reconnect|INFO|unix:/var/run/openvswitch/db.sock: connecting...
2018-02-06T16:19:20.437Z|00006|reconnect|INFO|unix:/var/run/openvswitch/db.sock: connected
2018-02-06T16:19:20.438Z|00007|dpdk|INFO|DPDK Enabled - initializing...
2018-02-06T16:19:20.438Z|00008|dpdk|INFO|No vhost-sock-dir provided - defaulting to /var/run/openvswitch
2018-02-06T16:19:20.438Z|00009|dpdk|INFO|IOMMU support for vhost-user-client disabled.
2018-02-06T16:19:20.438Z|00010|dpdk|INFO|EAL ARGS: ovs-vswitchd -c 0x000000000010 --socket-mem 4096,4096
2018-02-06T16:19:20.442Z|00011|dpdk|INFO|EAL: Detected 48 lcore(s)
2018-02-06T16:19:20.508Z|00012|dpdk|INFO|EAL: Probing VFIO support...
2018-02-06T16:19:20.508Z|00013|dpdk|ERR|EAL:   cannot open VFIO container, error 13 (Permission denied)
2018-02-06T16:19:20.508Z|00014|dpdk|INFO|EAL: VFIO support could not be initialized
2018-02-06T16:19:27.077Z|00015|dpdk|INFO|EAL: PCI device 0000:04:00.0 on NUMA socket 0
2018-02-06T16:19:27.077Z|00016|dpdk|INFO|EAL:   probe driver: 15b3:1017 net_mlx5
2018-02-06T16:19:27.079Z|00017|dpdk|INFO|PMD: net_mlx5: PCI information matches, using device "mlx5_0" (SR-IOV: false)
2018-02-06T16:19:27.082Z|00018|dpdk|INFO|PMD: net_mlx5: 1 port(s) detected
2018-02-06T16:19:27.086Z|00019|dpdk|INFO|PMD: net_mlx5: Enhanced MPS is enabled
2018-02-06T16:19:27.086Z|00020|dpdk|INFO|PMD: net_mlx5: port 1 MAC address is ec:0d:9a:a0:1d:f4
2018-02-06T16:19:27.087Z|00021|dpdk|INFO|EAL: PCI device 0000:04:00.1 on NUMA socket 0
2018-02-06T16:19:27.087Z|00022|dpdk|INFO|EAL:   probe driver: 15b3:1017 net_mlx5
2018-02-06T16:19:27.088Z|00023|dpdk|INFO|PMD: net_mlx5: PCI information matches, using device "mlx5_1" (SR-IOV: false)
2018-02-06T16:19:27.091Z|00024|dpdk|INFO|PMD: net_mlx5: 1 port(s) detected
2018-02-06T16:19:27.095Z|00025|dpdk|INFO|PMD: net_mlx5: Enhanced MPS is enabled
2018-02-06T16:19:27.095Z|00026|dpdk|INFO|PMD: net_mlx5: port 1 MAC address is ec:0d:9a:a0:1d:f5
2018-02-06T16:19:27.096Z|00027|dpdk|INFO|EAL: PCI device 0000:06:00.0 on NUMA socket 0
2018-02-06T16:19:27.096Z|00028|dpdk|INFO|EAL:   probe driver: 8086:10fb net_ixgbe
2018-02-06T16:19:27.096Z|00029|dpdk|INFO|EAL: PCI device 0000:06:00.1 on NUMA socket 0
2018-02-06T16:19:27.096Z|00030|dpdk|INFO|EAL:   probe driver: 8086:10fb net_ixgbe
2018-02-06T16:19:27.096Z|00031|dpdk|INFO|EAL: PCI device 0000:82:00.0 on NUMA socket 1
2018-02-06T16:19:27.096Z|00032|dpdk|INFO|EAL:   probe driver: 8086:1572 net_i40e
2018-02-06T16:19:27.096Z|00033|dpdk|INFO|EAL: PCI device 0000:82:00.1 on NUMA socket 1
2018-02-06T16:19:27.096Z|00034|dpdk|INFO|EAL:   probe driver: 8086:1572 net_i40e
2018-02-06T16:19:27.099Z|00035|dpdk|INFO|DPDK Enabled - initialized
2018-02-06T16:19:27.103Z|00036|bridge|INFO|ovs-vswitchd (Open vSwitch) 2.9.0
2018-02-06T16:19:27.103Z|00037|timeval|WARN|Unreasonably long 6665ms poll interval (8ms user, 6552ms system)
2018-02-06T16:19:27.103Z|00038|timeval|WARN|faults: 17209 minor, 0 major
2018-02-06T16:19:27.103Z|00039|timeval|WARN|disk: 0 reads, 8 writes
2018-02-06T16:19:27.103Z|00040|timeval|WARN|context switches: 98 voluntary, 6 involuntary
2018-02-06T16:19:27.103Z|00041|coverage|INFO|Event coverage, avg rate over last: 5 seconds, last minute, last hour,  hash=3aee121f:
2018-02-06T16:19:27.103Z|00042|coverage|INFO|bridge_reconfigure         0.2/sec     0.017/sec        0.0003/sec   total: 1
2018-02-06T16:19:27.103Z|00043|coverage|INFO|cmap_expand                1.6/sec     0.133/sec        0.0022/sec   total: 8
2018-02-06T16:19:27.103Z|00044|coverage|INFO|miniflow_malloc            2.2/sec     0.183/sec        0.0031/sec   total: 11
2018-02-06T16:19:27.103Z|00045|coverage|INFO|hmap_pathological          0.2/sec     0.017/sec        0.0003/sec   total: 1
2018-02-06T16:19:27.103Z|00046|coverage|INFO|hmap_expand               76.0/sec     6.333/sec        0.1056/sec   total: 380
2018-02-06T16:19:27.103Z|00047|coverage|INFO|txn_unchanged              0.6/sec     0.050/sec        0.0008/sec   total: 3
2018-02-06T16:19:27.103Z|00048|coverage|INFO|poll_create_node           8.0/sec     0.667/sec        0.0111/sec   total: 40
2018-02-06T16:19:27.103Z|00049|coverage|INFO|seq_change                11.2/sec     0.933/sec        0.0156/sec   total: 56
2018-02-06T16:19:27.103Z|00050|coverage|INFO|pstream_open               0.2/sec     0.017/sec        0.0003/sec   total: 1
2018-02-06T16:19:27.103Z|00051|coverage|INFO|stream_open                0.2/sec     0.017/sec        0.0003/sec   total: 1
2018-02-06T16:19:27.103Z|00052|coverage|INFO|util_xalloc              1474.8/sec   122.900/sec        2.0483/sec   total: 7374
2018-02-06T16:19:27.103Z|00053|coverage|INFO|netdev_get_hwaddr          0.4/sec     0.033/sec        0.0006/sec   total: 2
2018-02-06T16:19:27.103Z|00054|coverage|INFO|netlink_received           0.6/sec     0.050/sec        0.0008/sec   total: 3
2018-02-06T16:19:27.103Z|00055|coverage|INFO|netlink_sent               0.2/sec     0.017/sec        0.0003/sec   total: 1
2018-02-06T16:19:27.103Z|00056|coverage|INFO|90 events never hit
2018-02-06T16:19:32.146Z|00057|poll_loop|INFO|wakeup due to [POLLIN] on fd 11 (<->/var/run/openvswitch/db.sock) at lib/stream-fd.c:157 (56% CPU usage)
2018-02-06T16:19:32.146Z|00058|memory|INFO|44048 kB peak resident set size after 11.7 seconds
2018-02-06T16:19:32.146Z|00059|poll_loop|INFO|wakeup due to [POLLIN] on fd 11 (<->/var/run/openvswitch/db.sock) at lib/stream-fd.c:157 (56% CPU usage)
2018-02-06T16:19:32.153Z|00060|poll_loop|INFO|wakeup due to [POLLIN] on fd 11 (<->/var/run/openvswitch/db.sock) at lib/stream-fd.c:157 (56% CPU usage)
2018-02-06T16:19:32.168Z|00061|ofproto_dpif|INFO|netdev@ovs-netdev: Datapath supports recirculation
2018-02-06T16:19:32.168Z|00062|ofproto_dpif|INFO|netdev@ovs-netdev: VLAN header stack length probed as 1
2018-02-06T16:19:32.168Z|00063|ofproto_dpif|INFO|netdev@ovs-netdev: MPLS label stack length probed as 3
2018-02-06T16:19:32.168Z|00064|ofproto_dpif|INFO|netdev@ovs-netdev: Datapath supports truncate action
2018-02-06T16:19:32.168Z|00065|ofproto_dpif|INFO|netdev@ovs-netdev: Datapath supports unique flow ids
2018-02-06T16:19:32.168Z|00066|ofproto_dpif|INFO|netdev@ovs-netdev: Datapath supports clone action
2018-02-06T16:19:32.168Z|00067|ofproto_dpif|INFO|netdev@ovs-netdev: Max sample nesting level probed as 10
2018-02-06T16:19:32.168Z|00068|ofproto_dpif|INFO|netdev@ovs-netdev: Datapath supports eventmask in conntrack action
2018-02-06T16:19:32.168Z|00069|ofproto_dpif|INFO|netdev@ovs-netdev: Datapath supports ct_state
2018-02-06T16:19:32.168Z|00070|ofproto_dpif|INFO|netdev@ovs-netdev: Datapath supports ct_zone
2018-02-06T16:19:32.168Z|00071|ofproto_dpif|INFO|netdev@ovs-netdev: Datapath supports ct_mark
2018-02-06T16:19:32.168Z|00072|ofproto_dpif|INFO|netdev@ovs-netdev: Datapath supports ct_label
2018-02-06T16:19:32.168Z|00073|ofproto_dpif|INFO|netdev@ovs-netdev: Datapath supports ct_state_nat
2018-02-06T16:19:32.168Z|00074|ofproto_dpif|INFO|netdev@ovs-netdev: Datapath supports ct_orig_tuple
2018-02-06T16:19:32.168Z|00075|ofproto_dpif|INFO|netdev@ovs-netdev: Datapath supports ct_orig_tuple6
2018-02-06T16:19:32.319Z|00076|bridge|INFO|bridge ovsbr0: added interface ovsbr0 on port 65534
2018-02-06T16:19:32.328Z|00077|bridge|INFO|bridge ovsbr0: using datapath ID 0000a2660e5ef745
2018-02-06T16:19:32.328Z|00078|connmgr|INFO|ovsbr0: added service controller "punix:/var/run/openvswitch/ovsbr0.mgmt"
2018-02-06T16:19:32.457Z|00079|poll_loop|INFO|wakeup due to [POLLIN] on fd 10 (NETLINK_ROUTE<->NETLINK_ROUTE) at lib/netlink-socket.c:1331 (56% CPU usage)
2018-02-06T16:19:32.460Z|00080|poll_loop|INFO|wakeup due to [POLLIN] on fd 11 (<->/var/run/openvswitch/db.sock) at lib/stream-fd.c:157 (56% CPU usage)
2018-02-06T16:19:32.461Z|00081|poll_loop|INFO|wakeup due to 0-ms timeout at vswitchd/bridge.c:2898 (56% CPU usage)
2018-02-06T16:19:32.462Z|00082|poll_loop|INFO|wakeup due to [POLLIN] on fd 27 (FIFO pipe:[216379]) at vswitchd/bridge.c:385 (56% CPU usage)
2018-02-06T16:19:32.466Z|00083|poll_loop|INFO|wakeup due to [POLLIN] on fd 11 (<->/var/run/openvswitch/db.sock) at lib/stream-fd.c:157 (56% CPU usage)
2018-02-06T16:19:32.471Z|00084|dpif_netdev|INFO|PMD thread on numa_id: 0, core id: 46 created.
2018-02-06T16:19:32.476Z|00085|dpif_netdev|INFO|PMD thread on numa_id: 0, core id: 22 created.
2018-02-06T16:19:32.476Z|00086|dpif_netdev|INFO|There are 2 pmd threads on numa node 0
2018-02-06T16:19:32.487Z|00087|dpdk|INFO|PMD: net_mlx5: 0x5568b9c67ec0: TX queues number update: 0 -> 3
2018-02-06T16:19:32.487Z|00088|dpdk|INFO|PMD: net_mlx5: 0x5568b9c67ec0: RX queues number update: 0 -> 1
2018-02-06T16:19:32.488Z|00089|dpdk|WARN|PMD: net_mlx5: cannot set port 1 MTU to 1500: Permission denied
2018-02-06T16:19:32.488Z|00090|netdev_dpdk|ERR|Interface dpdk-10 MTU (1500) setup error: Permission denied
2018-02-06T16:19:32.488Z|00091|netdev_dpdk|ERR|Interface dpdk-10(rxq:1 txq:3) configure error: Permission denied
2018-02-06T16:19:32.488Z|00092|dpif_netdev|ERR|Failed to set interface dpdk-10 new configuration
2018-02-06T16:19:32.488Z|00093|bridge|WARN|could not add network device dpdk-10 to ofproto (No such device)
2018-02-06T16:19:32.489Z|00094|poll_loop|INFO|wakeup due to [POLLIN] on fd 11 (<->/var/run/openvswitch/db.sock) at lib/stream-fd.c:157 (56% CPU usage)
2018-02-06T16:19:32.497Z|00095|poll_loop|INFO|wakeup due to [POLLIN] on fd 11 (<->/var/run/openvswitch/db.sock) at lib/stream-fd.c:157 (56% CPU usage)
2018-02-06T16:19:32.497Z|00096|dpif_netdev|INFO|Core 22 on numa node 0 assigned port 'dpdk-10' rx queue 0 (measured processing cycles 0).


[root@netqe24 jhsiao]# rpm -qa | grep selinux
libselinux-2.5-12.el7.x86_64
openstack-selinux-0.8.12-0.20171204232656.7e9ef4a.el7ost.noarch
selinux-policy-targeted-3.13.1-187.el7.noarch
libselinux-utils-2.5-12.el7.x86_64
libselinux-python-2.5-12.el7.x86_64
selinux-policy-3.13.1-187.el7.noarch
container-selinux-2.36-1.gitff95335.el7.noarch
libselinux-devel-2.5-12.el7.x86_64
[root@netqe24 jhsiao]# uname -a
Linux netqe24.knqe.lab.eng.bos.redhat.com 3.10.0-837.el7.x86_64 #1 SMP Tue Jan 23 13:31:59 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
[root@netqe24 jhsiao]# rpm -q openvswitch
openvswitch-2.9.0-0.3.20171212git6625e43.el7fdb.x86_64
[root@netqe24 jhsiao]#

Comment 13 Lukas Vrabec 2018-02-06 16:40:23 UTC

Are you able to reproduce it when SELinux is in permissive mode?

Comment 14 Milos Malik 2018-02-06 16:41:26 UTC

Please collect SELinux denials from your machine and attach them here:

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

Thanks

Comment 15 Jean-Tsung Hsiao 2018-02-06 17:43:35 UTC

NOTE: Even setting Selinux to Permissive, this issue still exists. So, I'll set the status back to VERIFIED again. And, open another one against OVS.

2018-02-06T17:27:00.097Z|00054|dpdk|WARN|PMD: net_mlx5: cannot set port 1 MTU to 1500: Permission denied
2018-02-06T17:27:00.097Z|00055|netdev_dpdk|ERR|Interface dpdk-10 MTU (1500) setup error: Permission denied
2018-02-06T17:27:00.097Z|00056|netdev_dpdk|ERR|Interface dpdk-10(rxq:1 txq:3) configure error: Permission denied
2018-02-06T17:27:00.108Z|00061|dpdk|WARN|PMD: net_mlx5: cannot set port 1 MTU to 1500: Permission denied
2018-02-06T17:27:00.108Z|00062|netdev_dpdk|ERR|Interface dpdk-11 MTU (1500) setup error: Permission denied
2018-02-06T17:27:00.108Z|00063|netdev_dpdk|ERR|Interface dpdk-11(rxq:1 txq:3) configure error: Permission denied
2018-02-06T17:37:06.925Z|00088|dpdk|WARN|PMD: net_mlx5: cannot set port 1 MTU to 1500: Permission denied
2018-02-06T17:37:06.925Z|00089|netdev_dpdk|ERR|Interface dpdk-10 MTU (1500) setup error: Permission denied
2018-02-06T17:37:06.925Z|00090|netdev_dpdk|ERR|Interface dpdk-10(rxq:1 txq:3) configure error: Permission denied

[root@netqe24 ~]# getenforce
Permissive
[root@netqe24 ~]#

Comment 16 Jean-Tsung Hsiao 2018-02-06 17:45:15 UTC

(In reply to Milos Malik from comment #14)
> Please collect SELinux denials from your machine and attach them here:
> 
> # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today
> 
> Thanks

As mentioned in Comment 15, this is not an Selinux issue any more.

Comment 17 Marcelo Ricardo Leitner 2018-02-16 16:03:29 UTC

FWIW, Mellanox DPDK PMD was changed to not use sysfs for updating configs, but to use ioctls instead. Makes makes me think that some bits of the solution used here, aren't needed anymore and maybe could/should be reverted.
https://bugzilla.redhat.com/show_bug.cgi?id=1537366#c9

Comment 20 errata-xmlrpc 2018-04-10 12:49:36 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763

Note You need to log in before you can comment on or make changes to this bug.