-
Bug
-
Resolution: Done
-
Medium
-
18.04
-
None
-
None
With SELinux set to disable or permissive, the following command succeeds. With SELinux set to Enforcing, command fails:
$ vppctl create tap id 1
create tap: open '/dev/vhost-net': Permission denied
With setroubleshoot installed and selinux set to Permissive, the following logs are output:
Mar 12 16:19:53 wdm-vpp1-centos-7-4 setroubleshoot: SELinux is preventing /usr/bin/vpp from 'read, write' accesses on the chr_file vhost-net. For complete SELinux messages run: sealert -l 514103d8-17ea-4eb9-aa6f-046cf4bd1b5b Mar 12 16:19:53 wdm-vpp1-centos-7-4 python: SELinux is preventing /usr/bin/vpp from 'read, write' accesses on the chr_file vhost-net.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that vpp should be allowed read write access on the vhost-net chr_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'vpp_main' --raw | audit2allow -M my-vppmain#012# semodule -i my-vppmain.pp#012 Mar 12 16:19:53 wdm-vpp1-centos-7-4 setroubleshoot: SELinux is preventing /usr/bin/vpp from 'read, write' accesses on the chr_file vhost-net. For complete SELinux messages run: sealert -l 514103d8-17ea-4eb9-aa6f-046cf4bd1b5b Mar 12 16:19:53 wdm-vpp1-centos-7-4 python: SELinux is preventing /usr/bin/vpp from 'read, write' accesses on the chr_file vhost-net.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that vpp should be allowed read write access on the vhost-net chr_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'vpp_main' --raw | audit2allow -M my-vppmain#012# semodule -i my-vppmain.pp#012 Mar 12 16:19:53 wdm-vpp1-centos-7-4 setroubleshoot: failed to retrieve rpm info for /dev/vhost-net Mar 12 16:19:53 wdm-vpp1-centos-7-4 setroubleshoot: SELinux is preventing /usr/bin/vpp from ioctl access on the chr_file /dev/vhost-net. For complete SELinux messages run: sealert -l 8bfe2306-a53d-4a4c-9c92-ae8dd99928aa Mar 12 16:19:53 wdm-vpp1-centos-7-4 python: SELinux is preventing /usr/bin/vpp from ioctl access on the chr_file /dev/vhost-net.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that vpp should be allowed ioctl access on the vhost-net chr_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'vpp_main' --raw | audit2allow -M my-vppmain#012# semodule -i my-vppmain.pp#012 Mar 12 16:19:56 wdm-vpp1-centos-7-4 setroubleshoot: SELinux is preventing vpp_main from create access on the netlink_route_socket Unknown. For complete SELinux messages run: sealert -l 5d841112-9e10-4ee3-a6a1-729eaeae2292 Mar 12 16:19:56 wdm-vpp1-centos-7-4 python: SELinux is preventing vpp_main from create access on the netlink_route_socket Unknown.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that vpp_main should be allowed create access on the Unknown netlink_route_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'vpp_main' --raw | audit2allow -M my-vppmain#012# semodule -i my-vppmain.pp#012
Following the setroubleshoot logs:
$ sudo ausearch -c 'vpp_main' --raw | audit2allow -M my-vppmain $ cat my-vppmain.te module my-vppmain 1.0; require { type vhost_device_t; type vpp_t; class netlink_route_socket { bind create nlmsg_write }; class chr_file { ioctl open read write }; } #============= vpp_t ============== allow vpp_t self:netlink_route_socket { bind create nlmsg_write }; allow vpp_t vhost_device_t:chr_file { ioctl open read write };