2203585 – Missing /sys/kernel/debug/tracing/events/openvswitch directory

Bug 2203585 - Missing /sys/kernel/debug/tracing/events/openvswitch directory

Summary: Missing /sys/kernel/debug/tracing/events/openvswitch directory

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Enterprise Linux Fast Datapath
Classification:	Red Hat
Component:	openvswitch-selinux-extra-policy
Sub Component:
Version:	RHEL 9.0
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	Aaron Conole
QA Contact:	Jean-Tsung Hsiao
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-05-14 09:47 UTC by Gregor Jurgele
Modified:	2023-07-13 07:25 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FD-2864	0	None	None	None	2023-05-14 09:49:59 UTC

Description Gregor Jurgele 2023-05-14 09:47:33 UTC

Description of problem:
Directory /sys/kernel/debug/tracing/events/openvswitch not created on system start when SELinux set to enforcing.


Version-Release number of selected component (if applicable):
openvswitch-selinux-extra-policy.noarch       1.0-31.el9fdp             @fast-datapath-for-rhel-9-x86_64-rpms
openvswitch2.17.x86_64                        2.17.0-77.el9fdp          @fast-datapath-for-rhel-9-x86_64-rpms


How reproducible:
Always


Steps to Reproduce:
1. RHEL 9.2 minimal install
2. sudo subscription-manager repos --enable=fast-datapath-for-rhel-9-x86_64-rpms
3. sudo dnf install openvswitch-selinux-extra-policy openvswitch2.17
4. sudo reboot


Actual results:
Missing directory /sys/kernel/debug/tracing/events/openvswitch and directories beneath


Expected results:
Directory /sys/kernel/debug/tracing/events/openvswitch present and not empty


Additional info:
When SELinux is set to permissive the directory is created.

/var/log/messages:
May 14 11:04:53 test systemd[1]: Starting Open vSwitch Forwarding Unit...
May 14 11:04:53 test kernel: Failed to create system directory openvswitch
May 14 11:04:53 test kernel: Failed to create system directory openvswitch
May 14 11:04:53 test kernel: openvswitch: Open vSwitch switching datapath
May 14 11:04:53 test ovs-ctl[720]: Inserting openvswitch module.
May 14 11:04:53 test ovs-ctl[689]: Starting ovs-vswitchd.
May 14 11:04:53 test ovs-vsctl[767]: ovs|00001|vsctl|INFO|Called as ovs-vsctl --no-wait add Open_vSwitch . external-ids hostname=test.local
May 14 11:04:53 test ovs-ctl[689]: Enabling remote OVSDB managers.
May 14 11:04:53 test systemd[1]: Started Open vSwitch Forwarding Unit.

/var/log/audit/audit.log:
type=AVC msg=audit(1684055093.767:25): avc:  denied  { search } for  pid=725 comm="modprobe" name="events" dev="tracefs" ino=35 scontext=system_u:system_r:openvswitch_load_module_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1684055093.767:25): avc:  denied  { search } for  pid=725 comm="modprobe" name="events" dev="tracefs" ino=35 scontext=system_u:system_r:openvswitch_load_module_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0

Comment 1 Gregor Jurgele 2023-05-17 18:41:51 UTC

The below patch from openvswitch-selinux-extra-policy-1.0-30.el8fdp.src.rpm is missing from openvswitch-selinux-extra-policy-1.0-31.el9fdp.src.rpm:

diff -upr a/openvswitch-custom.te b/openvswitch-custom.te
--- a/openvswitch-custom.te	2022-02-02 10:55:06.376845429 -0500
+++ b/openvswitch-custom.te	2022-02-02 11:33:48.025800257 -0500
@@ -38,6 +38,7 @@ require {
         type sssd_var_lib_t;
         type sysfs_t;
         type systemd_unit_file_t;
+        type tracefs_t;
         type tun_tap_device_t;
 
         type hugetlbfs_t;
@@ -163,6 +164,8 @@ allow openvswitch_load_module_t sysfs_t:
 allow openvswitch_load_module_t sysfs_t:file { open read };
 allow openvswitch_load_module_t sysfs_t:lnk_file { read open };
 allow openvswitch_load_module_t systemd_unit_file_t:dir getattr;
+allow openvswitch_load_module_t tracefs_t:dir { search getattr open read };
+allow openvswitch_load_module_t tracefs_t:file { map getattr open read };
 
 # no need to grant search permissions for this - and no need to emit
 # an error, either.
---

Comment 2 Aaron Conole 2023-05-23 20:46:46 UTC

Please test with https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=2517138

Comment 3 Gregor Jurgele 2023-05-24 06:42:31 UTC

brewweb.engineering.redhat.com does not resolve to an IP for me.

Note You need to log in before you can comment on or make changes to this bug.