Bug 1012551
Summary: | Neutron fails to function with SELinux enabled | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Ben Nemec <bnemec> |
Component: | openstack-selinux | Assignee: | Lon Hohberger <lhh> |
Status: | CLOSED DUPLICATE | QA Contact: | Ami Jeain <ajeain> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 4.0 | CC: | aortega, apevec, bnemec, derekh, hateya, lhh, lpeer, mgrepl, mmagr, twilson, yeylon |
Target Milestone: | rc | ||
Target Release: | 4.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-12-03 21:59:05 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ben Nemec
2013-09-26 15:52:34 UTC
Any SELinux denials in the audit.log, does it work with Difference could be that when you run from shell, process runs unconfined. Shoot, you're right. I thought SELinux was turned off on this system, but I checked again and it wasn't. With it disabled Neutron works correctly under systemd. Still a problem, just not the one I initially reported. :-) I'll update the title. Will you need entries from the audit log to fix this? For some reason I only seem to have audit logs from today, and since I tried shutting off SELinux last night there's nothing related to this that I can see. If needed, I can try recreating the problem though. Yes please. Output of "ausearch -m avc" should be enough. Okay, here are the last few lines from that (there were 694 hits when I ran the command, so I assume you don't want them all :-): time->Wed Oct 2 11:44:37 2013 type=SYSCALL msg=audit(1380732277.809:13751): arch=c000003e syscall=165 success=no exit=-13 a0=43a1b4 a1=43523a a2=436315 a3=104000 items=0 ppid=13679 pid=13682 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ip" exe="/usr/sbin/ip" subj=system_u:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(1380732277.809:13751): avc: denied { mounton } for pid=13682 comm="ip" path="/run/netns" dev="tmpfs" ino=45625 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:ifconfig_var_run_t:s0 tclass=dir ---- time->Wed Oct 2 11:44:37 2013 type=SYSCALL msg=audit(1380732277.828:13754): arch=c000003e syscall=165 success=no exit=-13 a0=43a1b4 a1=43523a a2=436315 a3=104000 items=0 ppid=13681 pid=13683 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ip" exe="/usr/sbin/ip" subj=system_u:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(1380732277.828:13754): avc: denied { mounton } for pid=13683 comm="ip" path="/run/netns" dev="tmpfs" ino=45625 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:ifconfig_var_run_t:s0 tclass=dir ---- time->Wed Oct 2 11:45:07 2013 type=SYSCALL msg=audit(1380732307.897:13963): arch=c000003e syscall=165 success=no exit=-13 a0=43a1b4 a1=43523a a2=436315 a3=104000 items=0 ppid=13852 pid=13856 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ip" exe="/usr/sbin/ip" subj=system_u:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(1380732307.897:13963): avc: denied { mounton } for pid=13856 comm="ip" path="/run/netns" dev="tmpfs" ino=45625 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:ifconfig_var_run_t:s0 tclass=dir ---- time->Wed Oct 2 11:45:07 2013 type=SYSCALL msg=audit(1380732307.910:13966): arch=c000003e syscall=165 success=no exit=-13 a0=43a1b4 a1=43523a a2=436315 a3=104000 items=0 ppid=13854 pid=13857 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ip" exe="/usr/sbin/ip" subj=system_u:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(1380732307.910:13966): avc: denied { mounton } for pid=13857 comm="ip" path="/run/netns" dev="tmpfs" ino=45625 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:ifconfig_var_run_t:s0 tclass=dir ---- time->Wed Oct 2 11:45:37 2013 type=SYSCALL msg=audit(1380732337.989:14175): arch=c000003e syscall=165 success=no exit=-13 a0=43a1b4 a1=43523a a2=436315 a3=104000 items=0 ppid=14074 pid=14076 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ip" exe="/usr/sbin/ip" subj=system_u:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(1380732337.989:14175): avc: denied { mounton } for pid=14076 comm="ip" path="/run/netns" dev="tmpfs" ino=45625 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:ifconfig_var_run_t:s0 tclass=dir ---- time->Wed Oct 2 11:45:37 2013 type=SYSCALL msg=audit(1380732337.999:14178): arch=c000003e syscall=165 success=no exit=-13 a0=43a1b4 a1=43523a a2=436315 a3=104000 items=0 ppid=14075 pid=14077 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ip" exe="/usr/sbin/ip" subj=system_u:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(1380732337.999:14178): avc: denied { mounton } for pid=14077 comm="ip" path="/run/netns" dev="tmpfs" ino=45625 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:ifconfig_var_run_t:s0 tclass=dir This is a duplicate of another bug. As it turns out, most of the AVCs are related to wrong file labels on /usr/bin/neutron-*. semanage fcontext -a -t neutron_exec_t /usr/bin/neutron-lbaas-agent semanage fcontext -a -t neutron_exec_t /usr/bin/neutron-rootwrap restorecon /usr/bin/neutron* In the updated openstack-selinux which is in the beta channel for RHOS 4.0, the above is done for you during RPM installation. *** This bug has been marked as a duplicate of bug 1020052 *** |