SElinux is preventing dpdkvhostuserclient ports to be accessed by ovs on the directory /var/lib/vhost_sockets.

Probably related to BZ #1561729, I also see lot of ovs logs. I will attach the sos-report.


[root@overcloud-compute-0 heat-admin]# ll /var/lib/vhost_sockets/ -dZ
drwxrwxr-x. qemu hugetlbfs system_u:object_r:virt_cache_t:s0 /var/lib/vhost_sockets/
[root@overcloud-compute-0 heat-admin]# ll /var/lib/vhost_sockets/ -Z
srwxrwxr-x. qemu hugetlbfs system_u:object_r:virt_cache_t:s0 vhu66209262-ab


[root@overcloud-compute-0 heat-admin]# rpm -qa | grep 'selinux\|openvswitch'
selinux-policy-targeted-3.13.1-192.el7_5.3.noarch
libselinux-ruby-2.5-12.el7.x86_64
openvswitch-ovn-central-2.6.1-28.git20180130.el7ost.x86_64
container-selinux-2.55-1.el7.noarch
python-openvswitch-2.9.0-19.el7fdp.noarch
openvswitch-2.9.0-19.el7fdp.x86_64
ceph-selinux-10.2.10-17.el7cp.x86_64
libselinux-python-2.5-12.el7.x86_64
selinux-policy-3.13.1-192.el7_5.3.noarch
openstack-selinux-0.8.14-1.el7ost.noarch
openstack-neutron-openvswitch-9.4.1-16.el7ost.noarch
libselinux-utils-2.5-12.el7.x86_64
openvswitch-ovn-host-2.9.0-19.el7fdp.x86_64
libselinux-2.5-12.el7.x86_64
openvswitch-ovn-common-2.9.0-19.el7fdp.x86_64
[root@overcloud-compute-0 heat-admin]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.5 (Maipo)

Created attachment 1427579 [details]
compute selinux vhost socket issue

The AVCs in the audit.log (from the sosreport) do not appear directly related to vhost_sockets / virt_cache_t.

There are these errors in the system logs:

Apr 27 03:56:01 overcloud-compute-0 ovs-vswitchd[11431]: ovs|00005|dpdk|ERR|VHOST_CONFIG: truncted msg
Apr 27 03:56:01 overcloud-compute-0 ovs-vswitchd[11431]: ovs|00006|dpdk|ERR|VHOST_CONFIG: vhost read message failed

However, there are no obvious (to me) corresponding AVCs in /var/log/audit/audit.log that would explain them. ovs-vswitchd runs as 'openvswitch_t'.

There are other AVCs which appear unrelated.

You might try running with SELinux in permissive with dontaudit rules disabled and capturing that sosreport.  That might help identify the problem.

Also, a that truncated read should not result in ovs-vswitchd going into a flat spin and spewing millions of errors to syslog, but that's not related to this bug.

(In reply to Lon Hohberger from comment #4)
> You might try running with SELinux in permissive with dontaudit rules
> disabled and capturing that sosreport.  That might help identify the problem.
Can you elaborate on the steps and commands to be executed to disable dontaudit rules and capture sosreport?

> 
> Also, a that truncated read should not result in ovs-vswitchd going into a
> flat spin and spewing millions of errors to syslog, but that's not related
> to this bug.
VM is in the pause state SELinux is Enforcing and ovs dumps these logs. The moment it changed to permissive, VM moves to active state and ovs stops dumping logs. This the only reason for treating it as related to SELinux.

By disabling the dontaudit module, below is the error in the audit.log, I will attach an sosreport.

--------------------------------------------------
[root@overcloud-compute-0 heat-admin]# semodule --disable_dontaudit --build
[root@overcloud-compute-0 heat-admin]# getenforce
Enforcing
--------------------------------------------------

type=AVC msg=audit(1525078048.180:1080085): avc:  denied  { read write } for  pid=11438 comm="ovs-vswitchd" path="socket:[38232802]" dev="sockfs" ino=38232802 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:svirt_t:s0:c14,c629 tclass=unix_stream_socket

--------------------------------------------------

Created attachment 1428734 [details]
sosreport dontaudit enforcing

Confirmed; the only AVCs I see in the new audit.log are as in comment #6.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2102