Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 2215307

Summary: THere is avc.log when running ovs dpdk container case [FDP-8]
Product: Red Hat Enterprise Linux Fast Datapath Reporter: Aaron Conole <aconole>
Component: openvswitch-selinux-extra-policyAssignee: Aaron Conole <aconole>
Status: CLOSED ERRATA QA Contact: Jiying Qiu <jiqiu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: FDP 22.ACC: ctrautma, fleitner, jhsiao, jiqiu, ovs-qe, qding, ralongi, tli
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2051790 Environment:
Last Closed: 2023-08-21 02:08:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2051790    
Bug Blocks:    

Description Aaron Conole 2023-06-15 13:31:16 UTC 
+++ This bug was initially created as a clone of Bug #2051790 +++

Description of problem:
THere is avc.log when running ovs dpdk container case

Version-Release number of selected component (if applicable):
[root@dell-per730-50 ~]# rpm -qa|grep openvs
openvswitch-selinux-extra-policy-1.0-28.el8fdp.noarch
openvswitch2.15-2.15.0-57.el8fdp.x86_64
kernel-kernel-networking-openvswitch-perf-1.0-210.noarch
[root@dell-per730-50 ~]# uname -r
4.18.0-305.25.1.el8_4.x86_64


How reproducible:


Steps to Reproduce:
Run ovs dpdk container performance case
1. build ovsbr0
  Bridge ovsbr0
        datapath_type: netdev
        Port dpdk1
            Interface dpdk1
                type: dpdk
                options: {dpdk-devargs="0000:07:00.1", n_rxq="1", n_rxq_desc="1024", n_txq_desc="1024"}
        Port vhost0
            Interface vhost0
                type: dpdkvhostuserclient
                options: {vhost-server-path="/tmp/vhostuser/vhost0"}
        Port vhost1
            Interface vhost1
                type: dpdkvhostuserclient
                options: {vhost-server-path="/tmp/vhostuser/vhost1"}
        Port ovsbr0
            Interface ovsbr0
                type: internal
        Port dpdk0
            Interface dpdk0
                type: dpdk
                options: {dpdk-devargs="0000:07:00.0", n_rxq="1", n_rxq_desc="1024", n_txq_desc="1024"}
    ovs_version: "2.15.4"
2. Start container
 podman run -i -t --privileged -v /tmp/vhostuser:/tmp/vhostuser -v /dev/hugepages:/dev/hugepages 4f4c841655b8 dpdk-testpmd -l 0-2 -n 1 -m 1024 --no-pci --vdev=virtio_user0,path=/tmp/vhostuser/vhost0,server=1 --vdev=virtio_user1,path=/tmp/vhostuser/vhost1,server=1 -- -i --forward-mode=io --burst=32 --rxd=8192 --txd=8192 --max-pkt-len=9600 --mbuf-size=9728 --nb-cores=2 --rxq=1 --txq=1 --mbcache=512 --auto-start
3. Send traffic with trex
./binary-search.py --traffic-generator=trex-txrx --frame-size=64 --num-flows=1024 --max-loss-pct=0 --search-runtime=10 --validation-runtime=60 --rate-tolerance=10 --runtime-tolerance=10 --rate=25 --rate-unit=% --duplicate-packet-failure=retry-to-fail --negative-packet-loss=retry-to-fail --rate=100 --rate-unit=% --one-shot=0 --use-src-ip-flows=1 --use-dst-ip-flows=1 --use-src-mac-flows=1 --use-dst-mac-flows=1 --send-teaching-measurement --send-teaching-warmup --teaching-warmup-packet-type=generic --teaching-warmup-packet-rate=1000 --warmup-trial --warmup-trial-runtime=10 --warmup-trial-rate=1

Actual results:
There is following avc.log in beaker job.
https://beaker-archive.host.prod.eng.bos.redhat.com/beaker-logs/2022/01/62441/6244143/11377650/139181046/651013886/avc.log

type=PROCTITLE msg=audit(1643614160.199:188): proctitle=6F76732D767377697463686400756E69783A2F7661722F72756E2F6F70656E767377697463682F64622E736F636B002D76636F6E736F6C653A656D6572002D767379736C6F673A657272002D7666696C653A696E666F002D2D6D6C6F636B616C6C002D2D75736572006F70656E767377697463683A68756765746C626673002D
type=SYSCALL msg=audit(1643614160.199:188): arch=c000003e syscall=42 success=no exit=-111 a0=4b a1=557bb2c4f354 a2=6e a3=0 items=0 ppid=1 pid=14378 auid=4294967295 uid=994 gid=1001 euid=994 suid=994 fsuid=994 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="vhost-events" exe="/usr/sbin/ovs-vswitchd" subj=system_u:system_r:openvswitch_t:s0 key=(null)
type=AVC msg=audit(1643614160.199:188): avc:  denied  { write } for  pid=14378 comm="vhost-events" dev="dm-0" ino=135207994 scontext=system_u:system_r:openvswitch_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=1


Expected results:
No avc.log

Additional info:
https://beaker.engineering.redhat.com/jobs/6244143
https://beaker.engineering.redhat.com/jobs/6275066

--- Additional comment from liting on 2022-07-18 10:16:09 UTC ---

For rhel9, it also has this issue.
https://beaker.engineering.redhat.com/jobs/6824964

--- Additional comment from Flavio Leitner on 2023-06-14 17:17:19 UTC ---

Aaron,

It happens with RHEL-9 according to comment#1, so I am moving to OVS 3.1.
If that doesn't happen with 3.1, then we should close this because 2.15 is EOL.
Maybe this needs to go to RHEL SELinux instead.
fbl

--- Additional comment from Aaron Conole on 2023-06-15 13:22:30 UTC ---

What is the test scenario you're running?  user_tmp_t isn't typically how vhost images are labeled.

We can support this, but I want to make sure that there isn't something that changed which I'm missing.
Comment 3 Jiying Qiu 2023-08-02 06:22:22 UTC 
Run on RHEL-8.6.0-updates-20230731.21 and openvswitch3.1-3.1.0-39.el8fdp.x86_64.rpm, there is no avc log reported.
https://beaker.engineering.redhat.com/jobs/8139578
Comment 5 errata-xmlrpc 2023-08-21 02:08:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (openvswitch-selinux-extra-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:4681