Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 2107705

Summary: avc: denied { write } for pid=xxxxx comm="ovs-appctl" for ovn*.ctl
Product: Red Hat Enterprise Linux Fast Datapath Reporter: Rick Alongi <ralongi>
Component: openvswitch-selinux-extra-policyAssignee: Aaron Conole <aconole>
Status: CLOSED EOL QA Contact: Rick Alongi <ralongi>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: FDP 22.FCC: aconole, ctrautma, qding
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-10-08 17:49:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
audit.log none

Description Rick Alongi 2022-07-15 17:17:59 UTC 
Created attachment 1897467 [details]
audit.log

Description of problem:
avc.log reporting denied  { write } for  pid=xxxxx comm="ovs-appctl" for various PIDs related to ovn processes (more details below)

Version-Release number of selected component (if applicable):
kernel: 4.18.0-305.25.1.el8_4.x86_64
openvswitch2.16-2.16.0-86.el8fdp.x86_64
openvswitch-selinux-extra-policy-1.0-29.el8fdp.noarch
ovn22.06-central-22.06.0-16.el8fdp.x86_64
ovn22.06-22.06.0-16.el8fdp.x86_64
ovn22.06-host-22.06.0-16.el8fdp.x86_64

How reproducible:


Steps to Reproduce:
1. Ran memory leak soak beaker job using Valgrind
2. avc.log in job show errors
3.

Actual results:
AVC denied messages

Expected results:
no AVC denied messages

Additional info:

Link to sample avc.log: https://beaker.engineering.redhat.com/recipes/12277391/tasks/147262824/results/687410019/logs/avc.log

Link to beaker job: https://beaker.engineering.redhat.com/jobs/6810726

Link to sosreport: http://netqe-infra01.knqe.lab.eng.bos.redhat.com/sosreports/sosreport-wsfd-advnetlab34-2022-07-15-ydsbbpp.tar.xz

Steps to configure Valgrind in test:

+ cp /etc/sysconfig/openvswitch /etc/sysconfig/openvswitch_orig
+ sedeasy 'OPTIONS=""' 'OPTIONS="--ovs-vswitchd-wrapper=valgrind"' /etc/sysconfig/openvswitch
++ echo 'OPTIONS=""'
++ sed -e 's/\([[\/.*]\|\]\)/\\&/g'
++ echo 'OPTIONS="--ovs-vswitchd-wrapper=valgrind"'
++ sed -e 's/[\/&]/\\&/g'
+ sed -i 's/OPTIONS=""/OPTIONS="--ovs-vswitchd-wrapper=valgrind"/g' /etc/sysconfig/openvswitch
+ sedeasy 'OVS_USER_ID="openvswitch:hugetlbfs"' '#OVS_USER_ID="openvswitch:hugetlbfs"' /etc/sysconfig/openvswitch
++ echo 'OVS_USER_ID="openvswitch:hugetlbfs"'
++ sed -e 's/\([[\/.*]\|\]\)/\\&/g'
++ echo '#OVS_USER_ID="openvswitch:hugetlbfs"'
++ sed -e 's/[\/&]/\\&/g'
+ sed -i 's/OVS_USER_ID="openvswitch:hugetlbfs"/#OVS_USER_ID="openvswitch:hugetlbfs"/g' /etc/sysconfig/openvswitch
+ sedeasy openvswitch:hugetlbfs root:root /run/openvswitch.useropts
++ echo openvswitch:hugetlbfs
++ sed -e 's/\([[\/.*]\|\]\)/\\&/g'
++ echo root:root
++ sed -e 's/[\/&]/\\&/g'
+ sed -i s/openvswitch:hugetlbfs/root:root/g /run/openvswitch.useropts
+ echo 'OVN_CONTROLLER_OPTS="--ovn-controller-wrapper=valgrind"'
+ echo 'OVN_NORTHD_OPTS="--ovn-northd-wrapper=valgrind --ovsdb-nb-wrapper=valgrind --ovsdb-sb-wrapper=valgrind"'
+ setenforce 0
+ systemctl restart openvswitch
+ ausearch -c memcheck-amd64- --raw
+ audit2allow -M my-memcheckamd64
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-memcheckamd64.pp

+ semodule -i my-memcheckamd64.pp
+ setenforce 1
+ rm -f /var/log/openvswitch/ovs-vswitchd.valgrind.log.14762 /var/log/openvswitch/ovs-vswitchd.valgrind.log.14767
+ systemctl restart openvswitch
+ systemctl restart ovn-controller
+ systemctl restart ovn-northd
Comment 2 Aaron Conole 2022-08-08 14:42:21 UTC 
How did you get this kind of error to trigger?  Normally, we see that OVN/OVS files are tagged as:

openvswitch_var_run_t

But in the error message reported, the target context is

var_run_t

So I guess maybe there is a labeling issue?
Comment 3 Aaron Conole 2022-09-14 15:45:58 UTC 
Closing for now.  Some of these steps show that there is likely a relabel issue.  For example:

+ cp /etc/sysconfig/openvswitch /etc/sysconfig/openvswitch_orig

What other copies / moves happen?  systemd ovs will create the openvswitch /var/run space as
labeled with openvswitch_var_run_t so I don't know what the script does for valgrind.

Can you put a link to the exact test script that is doing the configuration?
Comment 4 Rick Alongi 2022-09-14 17:24:43 UTC 
Link to test script:
https://gitlab.cee.redhat.com/kernel-qe/kernel/-/blob/master/networking/openvswitch/memory_leak_soak/runtest.sh

Link to location in test script where Valgrind is configured:
https://gitlab.cee.redhat.com/kernel-qe/kernel/-/blob/master/networking/openvswitch/memory_leak_soak/runtest.sh#L295

Link to supporting env.sh file (probably not relevant to this issue):
https://gitlab.cee.redhat.com/kernel-qe/kernel/-/blob/master/networking/openvswitch/memory_leak_soak/env.sh
Comment 11 ovs-bot 2024-10-08 17:49:14 UTC 
This bug did not meet the criteria for automatic migration and is being closed.
If the issue remains, please open a new ticket in https://issues.redhat.com/browse/FDP
Comment 12 Red Hat Bugzilla 2025-02-06 04:25:17 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days