[ovs-discuss] Cannot open /dev/vfio/noiommu-0: Operation not permitted

Leon Goldberg lgoldber at redhat.com
Wed May 9 07:22:08 UTC 2018


Hi,

I'm encountering several security related issues. I'm using noiommu mode of
VFIO, and it seems like selinux blocks ovs attempts to both use the device
(noiommu-0) and connection to qemu vhostuser client.


*Version*

[root at lago-network-suite-master-host-0 ~]# ovs-vswitchd --version
ovs-vswitchd (Open vSwitch) 2.9.0
DPDK 17.11.0
[root at lago-network-suite-master-host-0 ~]#

[root at lago-network-suite-master-host-0 ~]# uname -r
3.10.0-693.21.1.el7.x86_64

*SElinux*

*[root at lago-network-suite-master-host-0 ~]# sestatus*
*SELinux status:                 enabled*
*SELinuxfs mount:                /sys/fs/selinux*
*SELinux root directory:         /etc/selinux*
*Loaded policy name:             targeted*
*Current mode:                   permissive*
*Mode from config file:          enforcing*
*Policy MLS status:              enabled*
*Policy deny_unknown status:     allowed*
*Max kernel policy version:      28*

*Trying to add dpdk port:*

*[root at lago-network-suite-master-host-0 ~]# ovs-vsctl add-port br0 dpdk-p0
-- set Interface dpdk-p0 type=dpdk options:dpdk-devargs=0000:00:04.0*
*ovs-vsctl: Error detected while setting up 'dpdk-p0': Error attaching
device '0000:00:04.0' to DPDK.  See ovs-vswitchd log for details.*
*ovs-vsctl: The default log directory is "/var/log/openvswitch".*
*[root at lago-network-suite-master-host-0 ~]# cat
/var/log/openvswitch/ovs-vswitchd.log | grep permitted*
*2018-05-08T14:29:02.755Z|00227|dpdk|ERR|EAL: Cannot open
/dev/vfio/noiommu-0: Operation not permitted*
*2018-05-08T14:29:22.532Z|00239|dpdk|ERR|EAL: Cannot open
/dev/vfio/noiommu-0: Operation not permitted*
*2018-05-08T14:29:22.549Z|00250|dpdk|ERR|EAL: Cannot open
/dev/vfio/noiommu-0: Operation not permitted*
*2018-05-08T14:29:23.525Z|00023|dpdk|ERR|EAL: Cannot open
/dev/vfio/noiommu-0: Operation not permitted*
*2018-05-08T14:29:23.573Z|00082|dpdk|ERR|EAL: Cannot open
/dev/vfio/noiommu-0: Operation not permitted*
*2018-05-08T14:29:23.595Z|00105|dpdk|ERR|EAL: Cannot open
/dev/vfio/noiommu-0: Operation not permitted*
*2018-05-08T14:29:23.712Z|00124|dpdk|ERR|EAL: Cannot open
/dev/vfio/noiommu-0: Operation not permitted*
*2018-05-08T14:29:23.721Z|00135|dpdk|ERR|EAL: Cannot open
/dev/vfio/noiommu-0: Operation not permitted*
*2018-05-08T14:29:23.725Z|00146|dpdk|ERR|EAL: Cannot open
/dev/vfio/noiommu-0: Operation not permitted*
*2018-05-08T14:32:32.713Z|00160|dpdk|ERR|EAL: Cannot open
/dev/vfio/noiommu-0: Operation not permitted*

*audit.log snippet:*

*[root at lago-network-suite-master-host-0 ~]# tail /var/log/audit/audit.log |
grep openvswitch_t*
*type=AVC msg=audit(1525789763.711:1210): avc:  denied  { open } for
pid=22757 comm="ovs-vswitchd" path="/dev/vfio/noiommu-0" dev="devtmpfs"
ino=33747 scontext=system_u:system_r:openvswitch_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=chr_file*
*type=SYSCALL msg=audit(1525789763.711:1210): arch=c000003e syscall=2
success=no exit=-1 a0=7fff0045bfa0 a1=2 a2=7fff0045bfb3 a3=0 items=0 ppid=1
pid=22757 auid=4294967295 uid=994 gid=1000 euid=994 suid=994 fsuid=994
egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295
comm="ovs-vswitchd" exe="/usr/sbin/ovs-vswitchd"
subj=system_u:system_r:openvswitch_t:s0 key=(null)*

*permissions/users:*

*[root at lago-network-suite-master-host-0 ~]# ps aux | grep ovs-vswitchd*
*openvsw+ 22757  0.3  5.1 1122780 96568 ?       S<Lsl 10:29   0:01
ovs-vswitchd unix:/var/run/openvswitch/db.sock -vconsole:emer -vsyslog:err
-vfile:info --mlockall --user openvswitch:hugetlbfs --no-chdir
--log-file=/var/log/openvswitch/ovs-vswitchd.log
--pidfile=/var/run/openvswitch/ovs-vswitchd.pid --detach*
*root     22933  0.0  0.0 112660   972 pts/0    S+   10:34   0:00 grep
--color=auto ovs-vswitchd*
*[root at lago-network-suite-master-host-0 ~]# ls -lah /dev/vfio*
*total 0*
*drwxr-xr-x.  2 root root            80 May  8 06:34 .*
*drwxr-xr-x. 19 root root          3.2K May  8 06:34 ..*
*crw-rw----.  1 root hugetlbfs 244,   0 May  8 06:34 noiommu-0*
*crw-rw-rw-.  1 root root       10, 196 May  8 06:34 vfio*
*[root at lago-network-suite-master-host-0 ~]# *









*Trying to connect to vhost socket:type=AVC msg=audit(1525707587.009:447):
avc:  denied  { remove_name } for  pid=4497 comm="qemu-kvm"
name="vhost-user-5" dev="vda3" ino=8742121
scontext=system_u:system_r:svirt_t:s0:c794,c950
tcontext=unconfined_u:object_r:default_t:s0 tclass=dirtype=AVC
msg=audit(1525707587.009:447): avc:  denied  { unlink } for  pid=4497
comm="qemu-kvm" name="vhost-user-5" dev="vda3" ino=8742121
scontext=system_u:system_r:svirt_t:s0:c794,c950
tcontext=system_u:object_r:default_t:s0 tclass=sock_filetype=AVC
msg=audit(1525707587.009:448): avc:  denied  { add_name } for  pid=4497
comm="qemu-kvm" name="vhost-user-5"
scontext=system_u:system_r:svirt_t:s0:c794,c950
tcontext=unconfined_u:object_r:default_t:s0 tclass=dirtype=AVC
msg=audit(1525707587.009:448): avc:  denied  { create } for  pid=4497
comm="qemu-kvm" name="vhost-user-5"
scontext=system_u:system_r:svirt_t:s0:c794,c950
tcontext=system_u:object_r:default_t:s0 tclass=sock_fileOVS log
shows:2018-05-08T15:27:15.059Z|00072|dpdk|INFO|VHOST_CONFIG: vhost-user
client: socket created, fd:
552018-05-08T15:27:15.059Z|00073|netdev_dpdk|INFO|vHost User device
'dpdkvhostclient1' created in 'client' mode, using client socket
'/vhostusers/vhost-user-5'2018-05-08T15:27:15.062Z|00074|dpdk|WARN|VHOST_CONFIG:
failed to connect to /vhostusers/vhost-user-5: Permission denied*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20180509/ea68a846/attachment-0001.html>


More information about the discuss mailing list