Created attachment 1897467 [details] audit.log Description of problem: avc.log reporting denied { write } for pid=xxxxx comm="ovs-appctl" for various PIDs related to ovn processes (more details below) Version-Release number of selected component (if applicable): kernel: 4.18.0-305.25.1.el8_4.x86_64 openvswitch2.16-2.16.0-86.el8fdp.x86_64 openvswitch-selinux-extra-policy-1.0-29.el8fdp.noarch ovn22.06-central-22.06.0-16.el8fdp.x86_64 ovn22.06-22.06.0-16.el8fdp.x86_64 ovn22.06-host-22.06.0-16.el8fdp.x86_64 How reproducible: Steps to Reproduce: 1. Ran memory leak soak beaker job using Valgrind 2. avc.log in job show errors 3. Actual results: AVC denied messages Expected results: no AVC denied messages Additional info: Link to sample avc.log: https://beaker.engineering.redhat.com/recipes/12277391/tasks/147262824/results/687410019/logs/avc.log Link to beaker job: https://beaker.engineering.redhat.com/jobs/6810726 Link to sosreport: http://netqe-infra01.knqe.lab.eng.bos.redhat.com/sosreports/sosreport-wsfd-advnetlab34-2022-07-15-ydsbbpp.tar.xz Steps to configure Valgrind in test: + cp /etc/sysconfig/openvswitch /etc/sysconfig/openvswitch_orig + sedeasy 'OPTIONS=""' 'OPTIONS="--ovs-vswitchd-wrapper=valgrind"' /etc/sysconfig/openvswitch ++ echo 'OPTIONS=""' ++ sed -e 's/\([[\/.*]\|\]\)/\\&/g' ++ echo 'OPTIONS="--ovs-vswitchd-wrapper=valgrind"' ++ sed -e 's/[\/&]/\\&/g' + sed -i 's/OPTIONS=""/OPTIONS="--ovs-vswitchd-wrapper=valgrind"/g' /etc/sysconfig/openvswitch + sedeasy 'OVS_USER_ID="openvswitch:hugetlbfs"' '#OVS_USER_ID="openvswitch:hugetlbfs"' /etc/sysconfig/openvswitch ++ echo 'OVS_USER_ID="openvswitch:hugetlbfs"' ++ sed -e 's/\([[\/.*]\|\]\)/\\&/g' ++ echo '#OVS_USER_ID="openvswitch:hugetlbfs"' ++ sed -e 's/[\/&]/\\&/g' + sed -i 's/OVS_USER_ID="openvswitch:hugetlbfs"/#OVS_USER_ID="openvswitch:hugetlbfs"/g' /etc/sysconfig/openvswitch + sedeasy openvswitch:hugetlbfs root:root /run/openvswitch.useropts ++ echo openvswitch:hugetlbfs ++ sed -e 's/\([[\/.*]\|\]\)/\\&/g' ++ echo root:root ++ sed -e 's/[\/&]/\\&/g' + sed -i s/openvswitch:hugetlbfs/root:root/g /run/openvswitch.useropts + echo 'OVN_CONTROLLER_OPTS="--ovn-controller-wrapper=valgrind"' + echo 'OVN_NORTHD_OPTS="--ovn-northd-wrapper=valgrind --ovsdb-nb-wrapper=valgrind --ovsdb-sb-wrapper=valgrind"' + setenforce 0 + systemctl restart openvswitch + ausearch -c memcheck-amd64- --raw + audit2allow -M my-memcheckamd64 ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i my-memcheckamd64.pp + semodule -i my-memcheckamd64.pp + setenforce 1 + rm -f /var/log/openvswitch/ovs-vswitchd.valgrind.log.14762 /var/log/openvswitch/ovs-vswitchd.valgrind.log.14767 + systemctl restart openvswitch + systemctl restart ovn-controller + systemctl restart ovn-northd
How did you get this kind of error to trigger? Normally, we see that OVN/OVS files are tagged as: openvswitch_var_run_t But in the error message reported, the target context is var_run_t So I guess maybe there is a labeling issue?
Closing for now. Some of these steps show that there is likely a relabel issue. For example: + cp /etc/sysconfig/openvswitch /etc/sysconfig/openvswitch_orig What other copies / moves happen? systemd ovs will create the openvswitch /var/run space as labeled with openvswitch_var_run_t so I don't know what the script does for valgrind. Can you put a link to the exact test script that is doing the configuration?
Link to test script: https://gitlab.cee.redhat.com/kernel-qe/kernel/-/blob/master/networking/openvswitch/memory_leak_soak/runtest.sh Link to location in test script where Valgrind is configured: https://gitlab.cee.redhat.com/kernel-qe/kernel/-/blob/master/networking/openvswitch/memory_leak_soak/runtest.sh#L295 Link to supporting env.sh file (probably not relevant to this issue): https://gitlab.cee.redhat.com/kernel-qe/kernel/-/blob/master/networking/openvswitch/memory_leak_soak/env.sh