Bug 1024330
| Summary: | Wrong SELinux policies set for neutron-dhcp-agent | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Community] RDO | Reporter: | Diogo Vieira <dfv> | ||||||||
| Component: | openstack-selinux | Assignee: | Ryan Hallisey <rhallise> | ||||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Ofer Blaut <oblaut> | ||||||||
| Severity: | unspecified | Docs Contact: | |||||||||
| Priority: | unspecified | ||||||||||
| Version: | unspecified | CC: | chrisw, dwalsh, kchamart, lvrabec, mgrepl, yeylon | ||||||||
| Target Milestone: | --- | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | Unspecified | ||||||||||
| OS: | Unspecified | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | |||||||||||
| : | 1072983 (view as bug list) | Environment: | |||||||||
| Last Closed: | 2016-03-30 23:09:45 UTC | Type: | Bug | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | |||||||||||
| Bug Blocks: | 1072983 | ||||||||||
| Attachments: |
|
||||||||||
Created attachment 817063 [details]
audit2allow
Created attachment 817064 [details]
audit2why
selinux-policy and selinux-policy-targeted versions are 3.12.1. Diogo, thanks for the report, a couple of things: (1) You haven't specified complete NVR of the package you're using. You only specified version of package in comment #3 but not the revision number. Note that 3.12.1 can have a lot of *revisions* -- http://koji.fedoraproject.org/koji/packageinfo?packageID=32. Next time, please specify full Name-Version-Release of a package. e.g. selinux-policy-3.12.1-74.10.fc19 (*if* that was the N-V-R that didn't work for you), so that it's easy to debug/narrow down issues. Friendly reminder: https://wiki.openstack.org/wiki/BugFilingRecommendations (2) Can you try with latest selinux-policy and selinux-policy-targeted version packages for 6.4 in case you were using older ones? (3) If you have time, it'll also be useful to generate a reference policy to narrow down specific AVC denials. A few commands you can try: # Enable SELinux $ setenforce 1 # Clear your audit log $ > /var/log/audit/audit.log # Restart neutron-dhcp-agent $ systemctl restart neutron-dhcp-agent # Show a reference policy $ cat /var/log/audit/audit.log | audit2allow -R And, if you're feeling more adventurous, you can even generate the policy by doing: # Generate an SELinux loadable module package $ audit2allow -a -M neutron # Install the Policy Package $ semodule -i neutron.pp # Restart neutron-dhcp-agent again $ systemctl restart neutron-dhcp-agent See if it alleviates your problem. Ref: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html Lon, please correct me if I said something wrong here.
>
> (2) Can you try with latest selinux-policy and selinux-policy-targeted
> version packages for 6.4 in case you were using older ones?
I meant, for F19.
neutron-dhcp-agent simply needs the right label - it should be neutron_exec_t; we shouldn't need specific policies for it. quantum.fc:/usr/bin/neutron-dhcp-agent -- gen_context(system_u:object_r:neutron_exec_t,s0) We need to back port all changes to F19. CC-ing Lukas. Ping, just a periodical combing through RDO bugs. Any update here? I believe it has been already added to F19. I checked it and add some missing rules to F19 branch.
commit f91e97aa6f13dd05d750a79f0a87de5364a03c73
Author: Lukas Vrabec <lvrabec>
Date: Thu Apr 17 18:22:00 2014 +0200
Add some rules from F20 branch in quantum policy
|
Created attachment 817062 [details] dhcp-agent.log Description of problem: Trying to start up the neutron-dhcp-agent fails because of SELinux. After setenforce 0 it starts correctly. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1.Start neutron-dhcp-agent in an openstack fresh install (with packstack). Actual results: neutron-dhcp-agent fails to start. Expected results: neutron-dhcp-agent should start correctly. Additional info: Verified in Fedora 19 Cloud Image with Openstack Havana (installed with packstack). Relevant part of the logs attached. Because the output of audit2why is very verbose I attached only a small subset consisting of the first messages that seemed to have something to do with neutron-dhcp-agent. I can try to provide more info if needed.