Uploaded image for project: 'Fast Datapath Product'
  1. Fast Datapath Product
  2. FDP-2725

Test Coverage: AVC denials occur because the openvswitch_t process (ovs-vswitchd) is trying to access /dev/vduse/control

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False
    • Hide

      ( ) The test coverage is aligned with the epic's acceptance criteria

      Show
      ( ) The test coverage is aligned with the epic's acceptance criteria
    • rhel-10
    • None

      This task is tracking the test case writing activities to cover the bug described below.

       Problem Description: Clearly explain the issue.

      AVC denials occur because the openvswitch_t process (ovs-vswitchd) is trying to access /dev/vduse/control
       

       Impact Assessment: Describe the severity and impact (e.g., network down,availability of a workaround, etc.).

       

       Software Versions: Specify the exact versions in use (e.g.,openvswitch3.1-3.1.0-147.el8fdp).

      [root@dell-per750-37 ~]# rpm -qa|grep selinux
      libselinux-3.9-2.el10.x86_64
      libselinux-utils-3.9-2.el10.x86_64
      python3-libselinux-3.9-2.el10.x86_64
      selinux-policy-42.1.10-1.el10.noarch
      selinux-policy-targeted-42.1.10-1.el10.noarch
      insights-core-selinux-3.6.9.2-1.el10.noarch
      rpm-plugin-selinux-4.19.1.1-20.el10.x86_64
      passt-selinux-0^20250512.g8ec1341-4.el10_1.noarch
      container-selinux-2.241.0-1.el10.noarch
      selinux-policy-targeted-extra-42.1.10-1.el10.noarch
      selinux-policy-extra-42.1.10-1.el10.noarch
      swtpm-selinux-0.9.0-5.el10.noarch
      nbdkit-selinux-1.44.1-2.el10.noarch
      openvswitch-selinux-extra-policy-1.0-39.el10fdp.noarch
      [root@dell-per750-37 ~]# uname -r
      6.12.0-157.el10.x86_64
      [root@dell-per750-37 ~]# rpm -qa|grep openvs
      openvswitch-selinux-extra-policy-1.0-39.el10fdp.noarch
      openvswitch3.6-3.6.0-12.el10fdp.fdpqe1601.9.x86_64

       

        Issue Type: Indicate whether this is a new issue or a regression (if a regression, state the last known working version).

       

       Reproducibility: Confirm if the issue can be reproduced consistently. If not, describe how often it occurs.

       

       Reproduction Steps: Provide detailed steps or scripts to replicate the issue.

      Run tcp_ns_vduse_test test
      setenforce 0
      systemctl restart openvswitch
      ovs-vsctl show
      ovs-vsctl --no-wait set Open_vSwitch . other_config:dpdk-init="true"
      ovs-vsctl --no-wait set Open_vSwitch . other_config:userspace-tso-enable="true"
      ovs-vsctl add-br br0 - set bridge br0 datapath_type=netdev
      ovs-vsctl add-port br0 vduse0 - set Interface vduse0 type=dpdkvhostuserclient options:vhost-server-path=/dev/vduse/vduse0
      ovs-vsctl add-port br0 vduse1 - set Interface vduse1 type=dpdkvhostuserclient options:vhost-server-path=/dev/vduse/vduse1
      vdpa dev add name vduse0 mgmtdev vduse
      vdpa dev add name vduse1 mgmtdev vduse
      driverctl -b vdpa set-override vduse0 vhost_vdpa
      driverctl -b vdpa set-override vduse1 vhost_vdpa
      ip netns add ns0
      ip link set dev eth0 netns ns0
      ip netns exec ns0 ip a a 192.168.101.1/24 dev eth0
      ip netns exec ns0 ip a a 2001:0db8:4::1/64 dev eth0
      ip netns exec ns0 ip l set dev eth0 up
      ip netns add ns1
      ip link set dev eth1 netns ns1
      ip netns exec ns1 ip a a 192.168.101.2/24 dev eth1
      ip netns exec ns1 ip a a 2001:0db8:4::2/64 dev eth1
      ip netns exec ns1 ip l set dev eth1 up
      numactl -m

      {numa_node} -N {numa_node}

      ip netns exec ns1 /bin/bash -c "iperf3 -s -D"
      numactl -m

      {numa_node} -N {numa_node}

      ip netns exec ns0 /bin/bash -c "iperf3 -c 192.168.101.2 -t 30"
      numactl -m

      {numa_node} -N {numa_node}

      ip netns exec ns0 /bin/bash -c "iperf3 -c 2001:0db8:4::2 -t 30"

       

       Expected Behavior: Describe what should happen under normal circumstances.

      No avc.log
       

       Observed Behavior: Explain what actually happens.

      use testing-farm run the tcp_ns_vduse_test test, and there is avc.log
      testing-farm log:
      https://artifacts.osci.redhat.com/testing-farm/f14c6968-ea2c-49f5-bb66-159dee8428b2/

       avc.log link:
      https://artifacts.osci.redhat.com/testing-farm/f14c6968-ea2c-49f5-bb66-159dee8428b2/work-vduse_dell37_dell557zxya66s/tmt_test_plans/vdpa/vduse_dell37_dell55/execute/data/guest/server/networking/vdpa-1/checks/avc.txt

      avc log:

      type=PROCTITLE msg=audit(11/19/25 01:05:04.831:312) : proctitle=ovs-vswitchd unix:/var/run/openvswitch/db.sock -vconsole:emer -vsyslog:err -vfile:info --mlockall --no-chdir --log-file=/var/log 
type=SYSCALL msg=audit(11/19/25 01:05:04.831:312) : arch=x86_64 syscall=openat success=yes exit=89 a0=AT_FDCWD a1=0x5562bf9311c7 a2=O_RDWR a3=0x0 items=0 ppid=1 pid=18271 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ovs-vswitchd exe=/usr/sbin/ovs-vswitchd subj=system_u:system_r:openvswitch_t:s0 key=(null) 
type=AVC msg=audit(11/19/25 01:05:04.831:312) : avc:  denied  { open } for  pid=18271 comm=ovs-vswitchd path=/dev/vduse/control dev="devtmpfs" ino=1130 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 
type=AVC msg=audit(11/19/25 01:05:04.831:312) : avc:  denied  { read write } for  pid=18271 comm=ovs-vswitchd name=control dev="devtmpfs" ino=1130 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 
----
type=PROCTITLE msg=audit(11/19/25 01:05:04.831:313) : proctitle=ovs-vswitchd unix:/var/run/openvswitch/db.sock -vconsole:emer -vsyslog:err -vfile:info --mlockall --no-chdir --log-file=/var/log 
type=SYSCALL msg=audit(11/19/25 01:05:04.831:313) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x59 a1=0x40088101 a2=0x7ffd62b23118 a3=0x0 items=0 ppid=1 pid=18271 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ovs-vswitchd exe=/usr/sbin/ovs-vswitchd subj=system_u:system_r:openvswitch_t:s0 key=(null) 
type=AVC msg=audit(11/19/25 01:05:04.831:313) : avc:  denied  { ioctl } for  pid=18271 comm=ovs-vswitchd path=/dev/vduse/control dev="devtmpfs" ino=1130 ioctlcmd=0x8101 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 
----
type=PROCTITLE msg=audit(11/19/25 01:05:05.364:314) : proctitle=ovs-vswitchd unix:/var/run/openvswitch/db.sock -vconsole:emer -vsyslog:err -vfile:info --mlockall --no-chdir --log-file=/var/log 
type=SYSCALL msg=audit(11/19/25 01:05:05.364:314) : arch=x86_64 syscall=ioctl success=yes exit=103 a0=0x5a a1=0xc0208110 a2=0x7f1f30397a70 a3=0x17ff8d818 items=0 ppid=1 pid=18271 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=pmd-c34/id:27 exe=/usr/sbin/ovs-vswitchd subj=system_u:system_r:openvswitch_t:s0 key=(null) 
type=AVC msg=audit(11/19/25 01:05:05.364:314) : avc:  denied  { ioctl } for  pid=18271 comm=pmd-c34/id:27 path=/dev/vduse/vduse0 dev="devtmpfs" ino=1133 ioctlcmd=0x8110 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1

       Troubleshooting Actions: Outline the steps taken to diagnose or resolve the issue so far.

       

       Logs: If you collected logs please provide them (e.g. sos report, /var/log/openvswitch/* , testpmd console)

              ovsdpdk-triage ovsdpdk triage
              nstbot NST Bot
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: