Bug 2215307 - THere is avc.log when running ovs dpdk container case [FDP-8]
Summary: THere is avc.log when running ovs dpdk container case [FDP-8]
Keywords:
Status: RELEASE_PENDING
Alias: None
Product: Red Hat Enterprise Linux Fast Datapath
Classification: Red Hat
Component: openvswitch-selinux-extra-policy
Version: FDP 22.A
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Aaron Conole
QA Contact: Jiying Qiu
URL:
Whiteboard:
Depends On: 2051790
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-06-15 13:31 UTC by Aaron Conole
Modified: 2023-08-16 00:04 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 2051790
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FD-2953 0 None None None 2023-06-15 13:31:34 UTC

Description Aaron Conole 2023-06-15 13:31:16 UTC 
+++ This bug was initially created as a clone of Bug #2051790 +++

Description of problem:
THere is avc.log when running ovs dpdk container case

Version-Release number of selected component (if applicable):
[root@dell-per730-50 ~]# rpm -qa|grep openvs
openvswitch-selinux-extra-policy-1.0-28.el8fdp.noarch
openvswitch2.15-2.15.0-57.el8fdp.x86_64
kernel-kernel-networking-openvswitch-perf-1.0-210.noarch
[root@dell-per730-50 ~]# uname -r
4.18.0-305.25.1.el8_4.x86_64


How reproducible:


Steps to Reproduce:
Run ovs dpdk container performance case
1. build ovsbr0
  Bridge ovsbr0
        datapath_type: netdev
        Port dpdk1
            Interface dpdk1
                type: dpdk
                options: {dpdk-devargs="0000:07:00.1", n_rxq="1", n_rxq_desc="1024", n_txq_desc="1024"}
        Port vhost0
            Interface vhost0
                type: dpdkvhostuserclient
                options: {vhost-server-path="/tmp/vhostuser/vhost0"}
        Port vhost1
            Interface vhost1
                type: dpdkvhostuserclient
                options: {vhost-server-path="/tmp/vhostuser/vhost1"}
        Port ovsbr0
            Interface ovsbr0
                type: internal
        Port dpdk0
            Interface dpdk0
                type: dpdk
                options: {dpdk-devargs="0000:07:00.0", n_rxq="1", n_rxq_desc="1024", n_txq_desc="1024"}
    ovs_version: "2.15.4"
2. Start container
 podman run -i -t --privileged -v /tmp/vhostuser:/tmp/vhostuser -v /dev/hugepages:/dev/hugepages 4f4c841655b8 dpdk-testpmd -l 0-2 -n 1 -m 1024 --no-pci --vdev=virtio_user0,path=/tmp/vhostuser/vhost0,server=1 --vdev=virtio_user1,path=/tmp/vhostuser/vhost1,server=1 -- -i --forward-mode=io --burst=32 --rxd=8192 --txd=8192 --max-pkt-len=9600 --mbuf-size=9728 --nb-cores=2 --rxq=1 --txq=1 --mbcache=512 --auto-start
3. Send traffic with trex
./binary-search.py --traffic-generator=trex-txrx --frame-size=64 --num-flows=1024 --max-loss-pct=0 --search-runtime=10 --validation-runtime=60 --rate-tolerance=10 --runtime-tolerance=10 --rate=25 --rate-unit=% --duplicate-packet-failure=retry-to-fail --negative-packet-loss=retry-to-fail --rate=100 --rate-unit=% --one-shot=0 --use-src-ip-flows=1 --use-dst-ip-flows=1 --use-src-mac-flows=1 --use-dst-mac-flows=1 --send-teaching-measurement --send-teaching-warmup --teaching-warmup-packet-type=generic --teaching-warmup-packet-rate=1000 --warmup-trial --warmup-trial-runtime=10 --warmup-trial-rate=1

Actual results:
There is following avc.log in beaker job.
https://beaker-archive.host.prod.eng.bos.redhat.com/beaker-logs/2022/01/62441/6244143/11377650/139181046/651013886/avc.log

type=PROCTITLE msg=audit(1643614160.199:188): proctitle=6F76732D767377697463686400756E69783A2F7661722F72756E2F6F70656E767377697463682F64622E736F636B002D76636F6E736F6C653A656D6572002D767379736C6F673A657272002D7666696C653A696E666F002D2D6D6C6F636B616C6C002D2D75736572006F70656E767377697463683A68756765746C626673002D
type=SYSCALL msg=audit(1643614160.199:188): arch=c000003e syscall=42 success=no exit=-111 a0=4b a1=557bb2c4f354 a2=6e a3=0 items=0 ppid=1 pid=14378 auid=4294967295 uid=994 gid=1001 euid=994 suid=994 fsuid=994 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="vhost-events" exe="/usr/sbin/ovs-vswitchd" subj=system_u:system_r:openvswitch_t:s0 key=(null)
type=AVC msg=audit(1643614160.199:188): avc:  denied  { write } for  pid=14378 comm="vhost-events" dev="dm-0" ino=135207994 scontext=system_u:system_r:openvswitch_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=1


Expected results:
No avc.log

Additional info:
https://beaker.engineering.redhat.com/jobs/6244143
https://beaker.engineering.redhat.com/jobs/6275066

--- Additional comment from liting on 2022-07-18 10:16:09 UTC ---

For rhel9, it also has this issue.
https://beaker.engineering.redhat.com/jobs/6824964

--- Additional comment from Flavio Leitner on 2023-06-14 17:17:19 UTC ---

Aaron,

It happens with RHEL-9 according to comment#1, so I am moving to OVS 3.1.
If that doesn't happen with 3.1, then we should close this because 2.15 is EOL.
Maybe this needs to go to RHEL SELinux instead.
fbl

--- Additional comment from Aaron Conole on 2023-06-15 13:22:30 UTC ---

What is the test scenario you're running?  user_tmp_t isn't typically how vhost images are labeled.

We can support this, but I want to make sure that there isn't something that changed which I'm missing.
Comment 3 Jiying Qiu 2023-08-02 06:22:22 UTC 
Run on RHEL-8.6.0-updates-20230731.21 and openvswitch3.1-3.1.0-39.el8fdp.x86_64.rpm, there is no avc log reported.
https://beaker.engineering.redhat.com/jobs/8139578
Note You need to log in before you can comment on or make changes to this bug.