1726838 – [RHEL-7.7] Got AVC while running OVS-dpdk testing under Rhel-7.7

The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 1726838 - [RHEL-7.7] Got AVC while running OVS-dpdk testing under Rhel-7.7

Summary: [RHEL-7.7] Got AVC while running OVS-dpdk testing under Rhel-7.7

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux Fast Datapath
Classification:	Red Hat
Component:	openvswitch-selinux-extra-policy
Sub Component:
Version:	FDP 19.D
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	Aaron Conole
QA Contact:	Jean-Tsung Hsiao
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-07-03 20:36 UTC by Jean-Tsung Hsiao
Modified:	2020-03-10 08:55 UTC (History)
CC List:	6 users (show)
Fixed In Version:	openvswitch-selinux-extra-policy-1.0-15.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-03-10 08:55:04 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
test package (8.36 KB, application/x-rpm) 2019-10-21 14:58 UTC, Aaron Conole	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:0741	0	None	None	None	2020-03-10 08:55:06 UTC

Description Jean-Tsung Hsiao 2019-07-03 20:36:05 UTC

Description of problem: [RHEL-7.7] Got AVC while running OVS-dpdk testing under Rhel-7.7

Please review the following log piece from beaker job, https://beaker.engineering.redhat.com/jobs/3633391

Info: Searching AVC errors produced since 1561649823.55 (Thu Jun 27 11:37:03 2019)
Searching logs...
Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 06/27/2019 11:37:03 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.w3ugVE 2>&1'
----
time->Thu Jun 27 11:37:17 2019
type=PROCTITLE msg=audit(1561649837.910:94): proctitle=6F76732D767377697463686400756E69783A2F7661722F72756E2F6F70656E767377697463682F64622E736F636B002D76636F6E736F6C653A656D6572002D767379736C6F673A657272002D7666696C653A696E666F002D2D6D6C6F636B616C6C002D2D6E6F2D6368646972002D2D6C6F672D66696C653D2F7661722F6C6F67
type=SYSCALL msg=audit(1561649837.910:94): arch=c000003e syscall=0 success=yes exit=8 a0=1f a1=7fff24a27b60 a2=8 a3=9 items=0 ppid=1 pid=5022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ovs-vswitchd" exe="/usr/sbin/ovs-vswitchd" subj=system_u:system_r:openvswitch_t:s0 key=(null)
type=AVC msg=audit(1561649837.910:94): avc:  denied  { sys_admin } for  pid=5022 comm="ovs-vswitchd" capability=21  scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=0
Fail: AVC messages found.
Checking for errors...
Using stronger AVC checks.
	Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.w3ugVE | /sbin/ausearch -m AVC -m SELINUX_ERR'
Fail: AVC messages found.
https://beaker.engineering.redhat.com/jobs/3633391


Version-Release number of selected component (if applicable):
19.D testing under RHEL-7.7-20190619.0

How reproducible: Reproducible


Steps to Reproduce:
1. https://beaker.engineering.redhat.com/jobs/3633391
2.
3.

Actual results:


Expected results:


Additional info:

Comment 5 Aaron Conole 2019-10-21 14:58:46 UTC

Created attachment 1627719 [details]
test package

Comment 10 Jean-Tsung Hsiao 2019-11-25 19:21:02 UTC

For sanity, ran PvP tests against openvswitch2.11-2.11.0-28.el7fdn.x86_64 --- passed.

Comment 11 Jean-Tsung Hsiao 2019-12-09 03:57:42 UTC

Hi Aaron,
This issue still exists in 20.A testing. Here is a failed job cause by AVC: https://beaker.engineering.redhat.com/jobs/3944463.
Please look into it.
Thanks!
Jean

Comment 12 Aaron Conole 2020-01-13 14:12:59 UTC

https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1053468

Built

Comment 14 Jean-Tsung Hsiao 2020-01-29 04:04:26 UTC

The bug fix has been verified. Please check the following job:
https://beaker.engineering.redhat.com/jobs/4040466

Comment 16 errata-xmlrpc 2020-03-10 08:55:04 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0741

Note You need to log in before you can comment on or make changes to this bug.