Bug 2051790
| Summary: | THere is avc.log when running ovs dpdk container case [FDP-9] | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux Fast Datapath | Reporter: | liting <tli> | |
| Component: | openvswitch3.1 | Assignee: | Aaron Conole <aconole> | |
| Status: | CLOSED ERRATA | QA Contact: | Jiying Qiu <jiqiu> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | FDP 22.A | CC: | ctrautma, fleitner, jhsiao, ralongi | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2215307 (view as bug list) | Environment: | ||
| Last Closed: | 2023-08-21 02:08:19 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2215307 | |||
For rhel9, it also has this issue. https://beaker.engineering.redhat.com/jobs/6824964 Aaron, It happens with RHEL-9 according to comment#1, so I am moving to OVS 3.1. If that doesn't happen with 3.1, then we should close this because 2.15 is EOL. Maybe this needs to go to RHEL SELinux instead. fbl What is the test scenario you're running? user_tmp_t isn't typically how vhost images are labeled. We can support this, but I want to make sure that there isn't something that changed which I'm missing. According to Comment#2,Run ovs-dpdk-tunneling case with openvswitch3.1-3.1.0-33.el9fdp and openvswitch-selinux-extra-policy-1.0-33.el9fdp,There is no avc error reported. https://beaker.engineering.redhat.com/jobs/8138018 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (openvswitch-selinux-extra-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:4675 |
Description of problem: THere is avc.log when running ovs dpdk container case Version-Release number of selected component (if applicable): [root@dell-per730-50 ~]# rpm -qa|grep openvs openvswitch-selinux-extra-policy-1.0-28.el8fdp.noarch openvswitch2.15-2.15.0-57.el8fdp.x86_64 kernel-kernel-networking-openvswitch-perf-1.0-210.noarch [root@dell-per730-50 ~]# uname -r 4.18.0-305.25.1.el8_4.x86_64 How reproducible: Steps to Reproduce: Run ovs dpdk container performance case 1. build ovsbr0 Bridge ovsbr0 datapath_type: netdev Port dpdk1 Interface dpdk1 type: dpdk options: {dpdk-devargs="0000:07:00.1", n_rxq="1", n_rxq_desc="1024", n_txq_desc="1024"} Port vhost0 Interface vhost0 type: dpdkvhostuserclient options: {vhost-server-path="/tmp/vhostuser/vhost0"} Port vhost1 Interface vhost1 type: dpdkvhostuserclient options: {vhost-server-path="/tmp/vhostuser/vhost1"} Port ovsbr0 Interface ovsbr0 type: internal Port dpdk0 Interface dpdk0 type: dpdk options: {dpdk-devargs="0000:07:00.0", n_rxq="1", n_rxq_desc="1024", n_txq_desc="1024"} ovs_version: "2.15.4" 2. Start container podman run -i -t --privileged -v /tmp/vhostuser:/tmp/vhostuser -v /dev/hugepages:/dev/hugepages 4f4c841655b8 dpdk-testpmd -l 0-2 -n 1 -m 1024 --no-pci --vdev=virtio_user0,path=/tmp/vhostuser/vhost0,server=1 --vdev=virtio_user1,path=/tmp/vhostuser/vhost1,server=1 -- -i --forward-mode=io --burst=32 --rxd=8192 --txd=8192 --max-pkt-len=9600 --mbuf-size=9728 --nb-cores=2 --rxq=1 --txq=1 --mbcache=512 --auto-start 3. Send traffic with trex ./binary-search.py --traffic-generator=trex-txrx --frame-size=64 --num-flows=1024 --max-loss-pct=0 --search-runtime=10 --validation-runtime=60 --rate-tolerance=10 --runtime-tolerance=10 --rate=25 --rate-unit=% --duplicate-packet-failure=retry-to-fail --negative-packet-loss=retry-to-fail --rate=100 --rate-unit=% --one-shot=0 --use-src-ip-flows=1 --use-dst-ip-flows=1 --use-src-mac-flows=1 --use-dst-mac-flows=1 --send-teaching-measurement --send-teaching-warmup --teaching-warmup-packet-type=generic --teaching-warmup-packet-rate=1000 --warmup-trial --warmup-trial-runtime=10 --warmup-trial-rate=1 Actual results: There is following avc.log in beaker job. https://beaker-archive.host.prod.eng.bos.redhat.com/beaker-logs/2022/01/62441/6244143/11377650/139181046/651013886/avc.log type=PROCTITLE msg=audit(1643614160.199:188): proctitle=6F76732D767377697463686400756E69783A2F7661722F72756E2F6F70656E767377697463682F64622E736F636B002D76636F6E736F6C653A656D6572002D767379736C6F673A657272002D7666696C653A696E666F002D2D6D6C6F636B616C6C002D2D75736572006F70656E767377697463683A68756765746C626673002D type=SYSCALL msg=audit(1643614160.199:188): arch=c000003e syscall=42 success=no exit=-111 a0=4b a1=557bb2c4f354 a2=6e a3=0 items=0 ppid=1 pid=14378 auid=4294967295 uid=994 gid=1001 euid=994 suid=994 fsuid=994 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="vhost-events" exe="/usr/sbin/ovs-vswitchd" subj=system_u:system_r:openvswitch_t:s0 key=(null) type=AVC msg=audit(1643614160.199:188): avc: denied { write } for pid=14378 comm="vhost-events" dev="dm-0" ino=135207994 scontext=system_u:system_r:openvswitch_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=1 Expected results: No avc.log Additional info: https://beaker.engineering.redhat.com/jobs/6244143 https://beaker.engineering.redhat.com/jobs/6275066