Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 2186278

Summary: [OVS DPDK] Encounter modprobe AVC's while configuring OVS DPDK bridge with two interfaces
Product: Red Hat Enterprise Linux Fast Datapath Reporter: Jean-Tsung Hsiao <jhsiao>
Component: openvswitch2.15Assignee: Aaron Conole <aconole>
Status: CLOSED ERRATA QA Contact: Jiying Qiu <jiqiu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: RHEL 9.0CC: bfubel, ctrautma, fleitner, jhsiao, ralongi
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-21 02:08:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jean-Tsung Hsiao 2023-04-12 16:27:58 UTC 
Description of problem: [OVS DPDK] Encounter modprobe AVC's while configuring OVS DPDK bridge with two interfaces

We ran kernel/networking/ovs-dpdk-selinux automation and found the following two AVC's:

++ check_AVC
+++ grep -c -w AVC /var/log/audit/audit.log
++ '[' 2 == 0 ']'
++ grep AVC /var/log/audit/audit.log
type=AVC msg=audit(1681305244.948:109): avc:  denied  { search } for  pid=9713 comm="modprobe" name="events" dev="tracefs" ino=5132 scontext=system_u:system_r:openvswitch_load_module_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1681305244.948:109): avc:  denied  { search } for  pid=9713 comm="modprobe" name="events" dev="tracefs" ino=5132 scontext=system_u:system_r:openvswitch_load_module_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
++ return 1

The check_AVC function ran right after configuring a OVS DPDK bridge. 

This modprobe AVC is related to openvswitch based on the AVC lines above. But, it seems to be benign as the brige was
built successfully --- the daemon showed no ERRs when attaching two dpdk interfaces to the brdige.

NOTE: Same AVC outputs for ixgbe, i40e, ice and mlx5 NICs --- so far I have tried these four NICs. It seems be generic.


Version-Release number of selected component (if applicable):

[root@netqe29 audit]# uname -r
5.14.0-284.10.1.el9_2.x86_64
[root@netqe29 audit]# rpm -q openvswitch2.15
openvswitch2.15-2.15.0-81.el9fdp.x86_64

How reproducible: Reproducible


Steps to Reproduce: Run kernel/networking/ovs-dpdk-selinux
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Jean-Tsung Hsiao 2023-04-12 16:30:03 UTC 
Aaron have already reviewed the two modprobe AVC's.
Comment 2 Aaron Conole 2023-05-23 20:46:37 UTC 
Please test with https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=2517138
Comment 5 Jiying Qiu 2023-08-01 06:34:45 UTC 
Verified with ovs2.15 and openvswitch-selinux-extra-policy-1.0-33.el9fdp.noarch.rpm ,there is no avc error reported.
https://beaker.engineering.redhat.com/jobs/8137977
Comment 7 errata-xmlrpc 2023-08-21 02:08:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (openvswitch-selinux-extra-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:4675