2224464 – ovs-vswitch create virtio port failed when enable selinux

Bug 2224464 - ovs-vswitch create virtio port failed when enable selinux

Summary: ovs-vswitch create virtio port failed when enable selinux

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Enterprise Linux Fast Datapath
Classification:	Red Hat
Component:	openvswitch-selinux-extra-policy
Sub Component:
Version:	RHEL 9.0
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Aaron Conole
QA Contact:	mhou
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-07-21 02:29 UTC by mhou
Modified:	2023-07-21 02:29 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FD-3043	0	None	None	None	2023-07-21 02:29:45 UTC

Description mhou 2023-07-21 02:29:22 UTC

Description of problem:
run ovs-vsctl add-port ovsbr0 g1_dpdk1 -- set interface g1_dpdk1 type=dpdk -- set interface g1_dpdk1 options:dpdk-devargs="net_virtio_user0,path=/dev/vhost-net,iface=g1_dpdk1" failed.

Version-Release number of selected component (if applicable):
openvswitch3.1-3.1.0-35.el9fdp

How reproducible:100%


Steps to Reproduce:
1. create virtio port
# systemctl start openvswitch
# ovs-vsctl set Open_vSwitch . other_config:dpdk-init=true
# ovs-vsctl add-br ovsbr0 -- set bridge ovsbr0 datapath_type=netdev
# ovs-vsctl add-port ovsbr0 g1_dpdk1 -- set interface g1_dpdk1 type=dpdk -- set interface g1_dpdk1 options:dpdk-devargs="net_virtio_user0,path=/dev/vhost-net,iface=g1_dpdk1"
2. try to import selinux policy
# grep "openvswitch_t" /var/log/audit/audit.log | audit2allow -M ovslocal
# semodule -i ovslocal.pp
# ovs-vsctl add-port ovsbr0 g1_dpdk1 -- set interface g1_dpdk1 type=dpdk -- set interface g1_dpdk1 options:dpdk-devargs="net_virtio_user0,path=/dev/vhost-net,iface=g1_dpdk1"
ovs-vsctl: Error detected while setting up 'g1_dpdk1': Error attaching device 'net_virtio_user0,path=/dev/vhost-net,iface=g1_dpdk1' to DPDK.  See ovs-vswitchd log for details.
ovs-vsctl: The default log directory is "/var/log/openvswitch".

3. check the selinux label on /dev/vhost-net
# ll -Z /dev/vhost-net 
crw-rw-rw-. 1 root kvm system_u:object_r:vhost_device_t:s0 10, 238 Jul 19 12:22 /dev/vhost-net

Actual results:
1. create port failed and see err log on ovs-vswitchd.log
2023-07-21T02:18:28.722Z|00060|dpif_netdev|INFO|PMD load based sleeps are disabled.
2023-07-21T02:18:28.727Z|00061|bridge|INFO|bridge ovsbr0: added interface ovsbr0 on port 65534
2023-07-21T02:18:28.728Z|00062|bridge|INFO|bridge ovsbr0: using datapath ID 00002e1da8e75e42
2023-07-21T02:18:28.728Z|00063|connmgr|INFO|ovsbr0: added service controller "punix:/var/run/openvswitch/ovsbr0.mgmt"
2023-07-21T02:18:53.614Z|00064|dpdk|ERR|virtio_user_backend_type(): Stat fails: /dev/vhost-net (Permission denied)
2023-07-21T02:18:53.614Z|00065|dpdk|ERR|virtio_user_pmd_probe(): unable to determine backend type for path /dev/vhost-net
2023-07-21T02:18:53.614Z|00066|dpdk|ERR|EAL: Driver cannot attach the device (net_virtio_user0)
2023-07-21T02:18:53.614Z|00067|dpdk|ERR|EAL: Failed to attach device on primary process
2023-07-21T02:18:53.614Z|00068|netdev_dpdk|WARN|Error attaching device 'net_virtio_user0,path=/dev/vhost-net,iface=g1_dpdk1' to DPDK
2023-07-21T02:18:53.614Z|00069|netdev|WARN|g1_dpdk1: could not set configuration (Invalid argument)
2023-07-21T02:18:53.614Z|00070|dpdk|ERR|Invalid port_id=1024
2023-07-21T02:19:36.099Z|00071|dpdk|ERR|vhost_kernel_setup(): fail to open /dev/vhost-net, Permission denied
2023-07-21T02:19:36.099Z|00072|dpdk|ERR|virtio_user_dev_setup(): (/dev/vhost-net) Failed to setup backend
2023-07-21T02:19:36.099Z|00073|dpdk|ERR|virtio_user_dev_init(): (/dev/vhost-net) backend set up fails
2023-07-21T02:19:36.099Z|00074|dpdk|ERR|virtio_user_pmd_probe(): virtio_user_dev_init fails
2023-07-21T02:19:36.099Z|00075|dpdk|ERR|EAL: Driver cannot attach the device (net_virtio_user0)
2023-07-21T02:19:36.099Z|00076|dpdk|ERR|EAL: Failed to attach device on primary process
2023-07-21T02:19:36.099Z|00077|netdev_dpdk|WARN|Error attaching device 'net_virtio_user0,path=/dev/vhost-net,iface=g1_dpdk1' to DPDK
2023-07-21T02:19:36.099Z|00078|netdev|WARN|g1_dpdk1: could not set configuration (Invalid argument)
2023-07-21T02:19:36.099Z|00079|dpdk|ERR|Invalid port_id=1024
2023-07-21T02:21:09.852Z|00080|dpdk|ERR|vhost_kernel_setup(): fail to open /dev/vhost-net, Permission denied
2023-07-21T02:21:09.852Z|00081|dpdk|ERR|virtio_user_dev_setup(): (/dev/vhost-net) Failed to setup backend
2023-07-21T02:21:09.852Z|00082|dpdk|ERR|virtio_user_dev_init(): (/dev/vhost-net) backend set up fails
2023-07-21T02:21:09.852Z|00083|dpdk|ERR|virtio_user_pmd_probe(): virtio_user_dev_init fails
2023-07-21T02:21:09.852Z|00084|dpdk|ERR|EAL: Driver cannot attach the device (net_virtio_user0)
2023-07-21T02:21:09.852Z|00085|dpdk|ERR|EAL: Failed to attach device on primary process
2023-07-21T02:21:09.852Z|00086|netdev_dpdk|WARN|Error attaching device 'net_virtio_user0,path=/dev/vhost-net,iface=g1_dpdk1' to DPDK
2023-07-21T02:21:09.852Z|00087|netdev|WARN|g1_dpdk1: could not set configuration (Invalid argument)
2023-07-21T02:21:09.852Z|00088|dpdk|ERR|Invalid port_id=1024


Expected results:
openvswitch-selinux should support selinux label with virtio tap device

Additional info:

Note You need to log in before you can comment on or make changes to this bug.