Bug 1561729 - [OSP10] Got lots OVS daemon ERRs while starting a OVS-dpdk guest
Summary: [OSP10] Got lots OVS daemon ERRs while starting a OVS-dpdk guest
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux
Version: 13.0 (Queens)
Hardware: x86_64
OS: Linux
Target Milestone: z8
: 10.0 (Newton)
Assignee: Lon Hohberger
QA Contact: Udi Shkalim
Depends On: 1561711
TreeView+ depends on / blocked
Reported: 2018-03-28 18:32 UTC by Lon Hohberger
Modified: 2018-06-22 13:05 UTC (History)
21 users (show)

Fixed In Version: openstack-selinux-0.8.14-1.el7ost
Doc Type: Bug Fix
Doc Text:
Previously, the virtlogd service logged redundant AVC denial errors when a guest virtual machine was started. With this update, the virtlogd service no longer attempts to send shutdown inhibition calls to systemd, which prevents the described errors from occurring.
Clone Of: 1561711
Last Closed: 2018-05-17 15:50:19 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:1596 None None None 2018-05-17 15:50:40 UTC

Description Lon Hohberger 2018-03-28 18:32:47 UTC
+++ This bug was initially created as a clone of Bug #1561711 +++

+++ This bug was initially created as a clone of Bug #1547250 +++


Description of problem:

Got lots OVS daemon ERRs while starting a OVS-dpdk guest


--- Additional comment from Jean-Tsung Hsiao on 2018-02-21 11:00:25 EST ---

Selinux could be the issue here.

On netqe19 when guest ran in CLIENT mode 2.9.0-1 fdP and qemu-kvm-rhev-2.10.0-20. If Selinux=Permissive, there was no such issue.

But, if Selinux=Enforcing, the issue happened --- lots of "truncted msg" ERRs seen in ovs-vswitchd.log.

See below for a USER_AVC.

[root@netqe19 ~]# tail -f /var/log/audit/audit.log | grep AVC
type=USER_AVC msg=audit(1519227919.365:2627): pid=1104 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=Inhibit dest=org.freedesktop.login1 spid=2650 tpid=1095 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

2018-02-21T15:54:30.709Z|1446065|dpdk|ERR|VHOST_CONFIG: truncted msg
2018-02-21T15:54:30.709Z|1446066|dpdk|ERR|VHOST_CONFIG: vhost read message failed
2018-02-21T15:54:30.709Z|1446067|dpdk|INFO|VHOST_CONFIG: new vhost user connection is 62
2018-02-21T15:54:30.709Z|1446068|dpdk|INFO|VHOST_CONFIG: new device, handle is 0
2018-02-21T15:54:30.709Z|1446069|dpdk|INFO|VHOST_CONFIG: read message VHOST_USER_GET_FEATURES
2018-02-21T15:54:30.709Z|1446070|dpdk|INFO|VHOST_CONFIG: read message VHOST_USER_GET_PROTOCOL_FEATURES
2018-02-21T15:54:30.709Z|1446071|dpdk|INFO|VHOST_CONFIG: read message VHOST_USER_SET_PROTOCOL_FEATURES
2018-02-21T15:54:30.709Z|1446072|dpdk|INFO|VHOST_CONFIG: read message VHOST_USER_GET_QUEUE_NUM
2018-02-21T15:54:30.709Z|1446073|dpdk|ERR|VHOST_CONFIG: truncted msg


--- Additional comment from Daniel Berrange on 2018-03-06 11:17:02 EST ---

The virNetDaemon class that's used by virtlogd (and libvirtd) calls virNetDaemonCallInhibit() when it wants to prevent shutdown of the login session. This invokes the Inhibit message on logind over DBus, hence why this AVC is triggered. 

virtlogd inhibits shutdown whenever it has a log file for a running guest open, though. So the AVC being reported here is a gap in the policy.

That said, I think we could reasonably argue that virtlogd should not try to inhibit shutdown itself. libvirtd can already inhibit shutdown when QEMU is running, if required, so virtlogd is really not adding value in this respect.

So I'd suggest we can probably just remove the inhibit logic from src/logging/log_handler.c


Goal is to simply work around this USER_AVC while this is fixed in a future RHEL7 update.

--- Additional comment from Lon Hohberger on 2018-03-28 14:29:56 EDT ---


Comment 8 Lon Hohberger 2018-05-10 18:18:13 UTC
/usr/share/openstack-selinux/0.8.14/tests/bz1561711 is present in openstack-selinux-0.8.14-1 and all AVC regression tests passed

Comment 11 errata-xmlrpc 2018-05-17 15:50:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.