-
Bug
-
Resolution: Open
-
Medium
-
None
-
None
-
None
-
Centos 7.6 (clean install)
RHEL 7.6 (clean install)
VPP 18.04, 18.10, 19.04.
After compiling VPP 19.04 with support for MLX5 DPDK driver and installing it, VPP is unable to access the DPDK devices. Neither is it able to create a new RDMA device. This happens on CentOS 7.6 and RHEL 7.6. The problem exists in 18.04, 18.10 and 19.01 as well but in these versions the RDMA part is not relevant.
vpp# create int rdma host-if enp1s0f1 name rdma-0 create interface rdma: no RDMA devices available, errno = 13. Is the ib_uverbs module loaded?: Permission denied
Meanwhile, for DPDK, the PCI devices are listed as usual:
vpp# show pci Address Sock VID:PID Link Speed Driver Product Name Vital Product Data0000:01:00.0 15b3:1013 8.0 GT/s x8 mlx5_core CX414A - ConnectX-4 QSFP28 PN: MCX414A-BCAT EC: A7 SN: MT1622X00459 V0: 0x 50 43 49 65 47 65 6e 33 ... RV: 0x 400000:01:00.1 15b3:1013 8.0 GT/s x8 mlx5_core CX414A - ConnectX-4 QSFP28 PN: MCX414A-BCAT EC: A7
After disabling SElinux using
sudo setenforce 0
the devices are available and useable with DPDK as wel as with RDMA.
Version used:
vpp# show version verbose cmdline
Version: v19.04.1-rc0~6-g725c6c4
Compiled by: centos
Compile host: node6
Compile date: Wed May 15 10:03:13 UTC 2019
Compile location: /home/centos/vpp.1904
Compiler: GCC 7.3.1 20180303 (Red Hat 7.3.1-5)
Current PID: 30798
Command line arguments:
/usr/bin/vpp
unix
{ nodaemon log /var/log/vpp/vpp.log full-coredump cli-listen /run/vpp/cli.sock }
api-trace
{ on }
cpu
{ }
dpdk
{
dev
0000:01:00.1
{ num-rx-queues 1 }
dev
0000:01:00.0
{ num-rx-queues 1 }
}
api-segment
{ gid: vpp }
Error log in /var/log/messages after starting VPP
May 16 07:54:06 node6 dbus[6898]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' May 16 07:54:07 node6 setroubleshoot: SELinux is preventing /usr/bin/vpp from using the chown capability. For complete SELinux messages run: sealert -l 00e1e2d2-4f30-4f38-923c-d34aa07646bf May 16 07:54:07 node6 python: SELinux is preventing /usr/bin/vpp from using the chown capability.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that vpp should have the chown capability by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'vpp' --raw | audit2allow -M my-vpp#012# semodule -i my-vpp.pp#012 May 16 07:54:07 node6 setroubleshoot: SELinux is preventing /usr/bin/vpp from setopt access on the netlink_route_socket labeled vpp_t. For complete SELinux messages run: sealert -l feb2ffea-80c5-4804-aeac-c9c42e28448b May 16 07:54:07 node6 python: SELinux is preventing /usr/bin/vpp from setopt access on the netlink_route_socket labeled vpp_t.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that vpp should be allowed setopt access on netlink_route_socket labeled vpp_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'vpp' --raw | audit2allow -M my-vpp#012# semodule -i my-vpp.pp#012 May 16 07:54:07 node6 setroubleshoot: SELinux is preventing /usr/bin/vpp from create access on the netlink_socket labeled vpp_t. For complete SELinux messages run: sealert -l eee0e1f0-ea9f-4f1d-9ead-9541dccbbd70 May 16 07:54:07 node6 python: SELinux is preventing /usr/bin/vpp from create access on the netlink_socket labeled vpp_t.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that vpp should be allowed create access on netlink_socket labeled vpp_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'vpp' --raw | audit2allow -M my-vpp#012# semodule -i my-vpp.pp#012 May 16 07:54:07 node6 setroubleshoot: SELinux is preventing /usr/bin/vpp from setopt access on the netlink_socket labeled vpp_t. For complete SELinux messages run: sealert -l d35b5ba0-17be-4852-a27e-2ab50d9ba173 May 16 07:54:07 node6 python: SELinux is preventing /usr/bin/vpp from setopt access on the netlink_socket labeled vpp_t.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that vpp should be allowed setopt access on netlink_socket labeled vpp_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'vpp' --raw | audit2allow -M my-vpp#012# semodule -i my-vpp.pp#012 May 16 07:54:07 node6 setroubleshoot: SELinux is preventing /usr/bin/vpp from bind access on the netlink_socket labeled vpp_t. For complete SELinux messages run: sealert -l a58fda4d-cda0-4fae-9893-1abecbc51a48 May 16 07:54:07 node6 python: SELinux is preventing /usr/bin/vpp from bind access on the netlink_socket labeled vpp_t.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that vpp should be allowed bind access on netlink_socket labeled vpp_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'vpp' --raw | audit2allow -M my-vpp#012# semodule -i my-vpp.pp#012 May 16 07:54:10 node6 setroubleshoot: SELinux is preventing /usr/bin/vpp from 'read, write' accesses on the chr_file uverbs0. For complete SELinux messages run: sealert -l b753a050-5190-4ebf-939e-25925c10a912 May 16 07:54:10 node6 python: SELinux is preventing /usr/bin/vpp from 'read, write' accesses on the chr_file uverbs0.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that vpp should be allowed read write access on the uverbs0 chr_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'vpp' --raw | audit2allow -M my-vpp#012# semodule -i my-vpp.pp#012 May 16 07:54:10 node6 setroubleshoot: SELinux is preventing /usr/bin/vpp from 'read, write' accesses on the chr_file uverbs0. For complete SELinux messages run: sealert -l b753a050-5190-4ebf-939e-25925c10a912 May 16 07:54:10 node6 python: SELinux is preventing /usr/bin/vpp from 'read, write' accesses on the chr_file uverbs0.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that vpp should be allowed read write access on the uverbs0 chr_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'vpp' --raw | audit2allow -M my-vpp#012# semodule -i my-vpp.pp#012 May 16 07:54:19 node6 setroubleshoot: failed to retrieve rpm info for /dev/infiniband/uverbs0 May 16 07:54:19 node6 setroubleshoot: SELinux is preventing vpp from map access on the chr_file /dev/infiniband/uverbs0. For complete SELinux messages run: sealert -l d012cc6d-3a06-4745-90ae-0ff472eba74d May 16 07:54:19 node6 python: SELinux is preventing vpp from map access on the chr_file /dev/infiniband/uverbs0.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that vpp should be allowed map access on the uverbs0 chr_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'vpp' --raw | audit2allow -M my-vpp#012# semodule -i my-vpp.pp#012 May 16 07:54:31 node6 dbus[6898]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper) May 16 07:54:31 node6 dbus[6898]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' May 16 07:54:32 node6 setroubleshoot: SELinux is preventing vpp from getattr access on the netlink_route_socket labeled vpp_t. For complete SELinux messages run: sealert -l c2e24f89-1837-47a5-9399-d4c1203416d7 May 16 07:54:32 node6 python: SELinux is preventing vpp from getattr access on the netlink_route_socket labeled vpp_t.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that vpp should be allowed getattr access on netlink_route_socket labeled vpp_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'vpp' --raw | audit2allow -M my-vpp#012# semodule -i my-vpp.pp#012
Results of sudo ausearch -c 'vpp' --raw | audit2allow -M my-vpp
[centos@node6 test]$ sudo ausearch -c 'vpp' --raw | audit2allow -M my-vpp*
To make this policy package active, execute:
semodule -i my-vpp.pp
[centos@node6 test]$ ls
my-vpp.pp my-vpp.te
[centos@node6 test]$ cat my-vpp.te
module my-vpp 1.0;
require
{ type vpp_t; type infiniband_device_t; class capability chown; class netlink_route_socket
;
class netlink_socket { bind create setopt };
class chr_file { getattr map open read write };
}
#============= vpp_t ==============
allow vpp_t infiniband_device_t:chr_file { getattr map open read write };
allow vpp_t self:capability chown;
allow vpp_t self:netlink_route_socket { getattr setopt };
allow vpp_t self:netlink_socket { bind create setopt };
