Bug 1572510 - OSP10: Support for dpdkvhostuserclient mode
Summary: OSP10: Support for dpdkvhostuserclient mode
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux
Version: 10.0 (Newton)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: async
: 10.0 (Newton)
Assignee: Lon Hohberger
QA Contact: Udi Shkalim
URL:
Whiteboard:
Depends On: 1557850
Blocks: 1561869 1561870 1568355 1568356
TreeView+ depends on / blocked
 
Reported: 2018-04-27 08:01 UTC by Saravanan KR
Modified: 2018-06-27 23:35 UTC (History)
13 users (show)

Fixed In Version: openstack-selinux-0.8.14-5.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1557850
Environment:
Last Closed: 2018-06-27 23:33:22 UTC
Target Upstream Version:


Attachments (Terms of Use)
compute selinux vhost socket issue (11.19 MB, application/x-xz)
2018-04-27 08:42 UTC, Saravanan KR
no flags Details
sosreport dontaudit enforcing (18.10 MB, application/octet-stream)
2018-04-30 09:36 UTC, Saravanan KR
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2102 None None None 2018-06-27 23:35:37 UTC

Comment 1 Saravanan KR 2018-04-27 08:40:59 UTC
SElinux is preventing dpdkvhostuserclient ports to be accessed by ovs on the directory /var/lib/vhost_sockets.

Probably related to BZ #1561729, I also see lot of ovs logs. I will attach the sos-report.


[root@overcloud-compute-0 heat-admin]# ll /var/lib/vhost_sockets/ -dZ
drwxrwxr-x. qemu hugetlbfs system_u:object_r:virt_cache_t:s0 /var/lib/vhost_sockets/
[root@overcloud-compute-0 heat-admin]# ll /var/lib/vhost_sockets/ -Z
srwxrwxr-x. qemu hugetlbfs system_u:object_r:virt_cache_t:s0 vhu66209262-ab


[root@overcloud-compute-0 heat-admin]# rpm -qa | grep 'selinux\|openvswitch'
selinux-policy-targeted-3.13.1-192.el7_5.3.noarch
libselinux-ruby-2.5-12.el7.x86_64
openvswitch-ovn-central-2.6.1-28.git20180130.el7ost.x86_64
container-selinux-2.55-1.el7.noarch
python-openvswitch-2.9.0-19.el7fdp.noarch
openvswitch-2.9.0-19.el7fdp.x86_64
ceph-selinux-10.2.10-17.el7cp.x86_64
libselinux-python-2.5-12.el7.x86_64
selinux-policy-3.13.1-192.el7_5.3.noarch
openstack-selinux-0.8.14-1.el7ost.noarch
openstack-neutron-openvswitch-9.4.1-16.el7ost.noarch
libselinux-utils-2.5-12.el7.x86_64
openvswitch-ovn-host-2.9.0-19.el7fdp.x86_64
libselinux-2.5-12.el7.x86_64
openvswitch-ovn-common-2.9.0-19.el7fdp.x86_64
[root@overcloud-compute-0 heat-admin]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.5 (Maipo)

Comment 2 Saravanan KR 2018-04-27 08:42:22 UTC
Created attachment 1427579 [details]
compute selinux vhost socket issue

Comment 3 Lon Hohberger 2018-04-27 16:27:35 UTC
The AVCs in the audit.log (from the sosreport) do not appear directly related to vhost_sockets / virt_cache_t.

There are these errors in the system logs:

Apr 27 03:56:01 overcloud-compute-0 ovs-vswitchd[11431]: ovs|00005|dpdk|ERR|VHOST_CONFIG: truncted msg
Apr 27 03:56:01 overcloud-compute-0 ovs-vswitchd[11431]: ovs|00006|dpdk|ERR|VHOST_CONFIG: vhost read message failed

However, there are no obvious (to me) corresponding AVCs in /var/log/audit/audit.log that would explain them. ovs-vswitchd runs as 'openvswitch_t'.

There are other AVCs which appear unrelated.

Comment 4 Lon Hohberger 2018-04-27 17:06:04 UTC
You might try running with SELinux in permissive with dontaudit rules disabled and capturing that sosreport.  That might help identify the problem.

Also, a that truncated read should not result in ovs-vswitchd going into a flat spin and spewing millions of errors to syslog, but that's not related to this bug.

Comment 5 Saravanan KR 2018-04-30 07:03:57 UTC
(In reply to Lon Hohberger from comment #4)
> You might try running with SELinux in permissive with dontaudit rules
> disabled and capturing that sosreport.  That might help identify the problem.
Can you elaborate on the steps and commands to be executed to disable dontaudit rules and capture sosreport?

> 
> Also, a that truncated read should not result in ovs-vswitchd going into a
> flat spin and spewing millions of errors to syslog, but that's not related
> to this bug.
VM is in the pause state SELinux is Enforcing and ovs dumps these logs. The moment it changed to permissive, VM moves to active state and ovs stops dumping logs. This the only reason for treating it as related to SELinux.

Comment 6 Saravanan KR 2018-04-30 08:49:10 UTC
By disabling the dontaudit module, below is the error in the audit.log, I will attach an sosreport.

--------------------------------------------------
[root@overcloud-compute-0 heat-admin]# semodule --disable_dontaudit --build
[root@overcloud-compute-0 heat-admin]# getenforce
Enforcing
--------------------------------------------------

type=AVC msg=audit(1525078048.180:1080085): avc:  denied  { read write } for  pid=11438 comm="ovs-vswitchd" path="socket:[38232802]" dev="sockfs" ino=38232802 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:svirt_t:s0:c14,c629 tclass=unix_stream_socket

--------------------------------------------------

Comment 7 Saravanan KR 2018-04-30 09:36:51 UTC
Created attachment 1428734 [details]
sosreport dontaudit enforcing

Comment 8 Lon Hohberger 2018-04-30 12:18:01 UTC
Confirmed; the only AVCs I see in the new audit.log are as in comment #6.

Comment 18 errata-xmlrpc 2018-06-27 23:33:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2102


Note You need to log in before you can comment on or make changes to this bug.