Bug 1049817

Summary: neutron-dhcp-agent fails to start with plenty of SELinux AVC denials
Product: [Fedora] Fedora Reporter: Kashyap Chamarthy <kchamart>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: chrisw, dominick.grift, dwalsh, lars, lbezdick, lhh, lvrabec, mgrepl, yeylon
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1049807 Environment:
Last Closed: 2015-06-30 00:50:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1049807    
Attachments:
Description Flags
audit.log containing AVC messages from an all-in-one RDO install on F20 none

Description Kashyap Chamarthy 2014-01-08 09:52:16 UTC 
+++ This bug was initially created as a clone of Bug #1049807 +++

Description of problem
----------------------

Starting neutron-dhcp-agent fails with a lot of SELinux denials.

Large stack traces along the lines of:

    [. . .]
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     self.register(fileno, new=True)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/eventlet/hubs/poll.py", line 44, in register
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     self.poll.register(fileno, mask)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent IOError: [Errno 22] Invalid argument
    [. . .]

SELinux details:

    $ cat /var/log/audit/audit.log | audit2allow -R                                                            
    
    require {
            type neutron_t;
            type proc_net_t;
            type sysfs_t;
            type dnsmasq_etc_t;
            class process { signal setcap };
            class rawip_socket { getopt create setopt };
            class capability { net_raw chown net_admin dac_override sys_admin net_bind_service };
            class file { getattr read open };
            class filesystem { mount unmount };
            class netlink_route_socket nlmsg_write;
    }
    
    #============= neutron_t ==============
    allow neutron_t dnsmasq_etc_t:file { read getattr open };
    allow neutron_t proc_net_t:file { read getattr open };
    allow neutron_t self:capability { net_raw chown net_admin sys_admin net_bind_service dac_override };
    allow neutron_t self:netlink_route_socket nlmsg_write;
    allow neutron_t self:process { signal setcap };
    allow neutron_t self:rawip_socket { getopt create setopt };
    allow neutron_t sysfs_t:filesystem { mount unmount };
    corenet_tcp_bind_dns_port(neutron_t)
    corenet_udp_bind_dhcpd_port(neutron_t)
    corenet_udp_bind_dns_port(neutron_t)
    dev_mounton_sysfs(neutron_t)
    dnsmasq_exec(neutron_t)
    files_mounton_rootfs(neutron_t)
    iptables_exec(neutron_t)
    kernel_getattr_proc(neutron_t)
    kernel_request_load_module(neutron_t)


Version
-------

    $ rpm -q openstack-neutron openvswitch dnsmasq selinux-policy
    openstack-neutron-2014.1-0.1.b1.fc21.noarch
    openvswitch-2.0.0-1.fc20.x86_64
    dnsmasq-2.68-0.1.rc3.fc20.x86_64
    selinux-policy-3.12.1-106.fc20.noarch


How reproducible: Consistently.


Steps to Reproduce
------------------

    $ setenforce 1
    $ systemctl restart neutron-dhcp-agent
    $ systemctl status neutron-dhcp-agent


Actual results 
--------------

neutron-dhcp-agent fails to start.

    $ less /var/log/neutron/dhcp-agent.log
    [. . .]
    2014-01-08 02:55:41.233 22829 TRACE neutron.openstack.common.threadgroup IOError: [Errno 22] Invalid argument
    2014-01-08 02:55:41.233 22829 TRACE neutron.openstack.common.threadgroup 
    2014-01-08 02:55:41.245 22829 ERROR neutron.agent.dhcp_agent [req-b5b70480-626b-41c6-bdaa-f24c6a6f5fd8 None None] Failed reporting state!
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent Traceback (most recent call last):
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/neutron/agent/dhcp_agent.py", line 577, in _report_state
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     self.state_rpc.report_state(ctx, self.agent_state, self.use_call)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/neutron/agent/rpc.py", line 72, in report_state
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     return self.call(context, msg, topic=self.topic)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/neutron/openstack/common/rpc/proxy.py", line 126, in call
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     result = rpc.call(context, real_topic, msg, timeout)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/neutron/openstack/common/rpc/__init__.py", line 140, in call
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     return _get_impl().call(CONF, context, topic, msg, timeout)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/neutron/openstack/common/rpc/impl_qpid.py", line 767, in call
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     rpc_amqp.get_connection_pool(conf, Connection))
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/neutron/openstack/common/rpc/amqp.py", line 549, in call
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     rv = multicall(conf, context, topic, msg, timeout, connection_pool)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/neutron/openstack/common/rpc/amqp.py", line 539, in multicall
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     connection_pool.reply_proxy = ReplyProxy(conf, connection_pool)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/neutron/openstack/common/rpc/amqp.py", line 192, in __init__
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     super(ReplyProxy, self).__init__(conf, connection_pool, pooled=False)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/neutron/openstack/common/rpc/amqp.py", line 126, in __init__
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     server_params=server_params)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/neutron/openstack/common/rpc/impl_qpid.py", line 458, in __init__
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     self.reconnect()
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/neutron/openstack/common/rpc/impl_qpid.py", line 499, in reconnect
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     self.connection.open()
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "<string>", line 6, in open
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/qpid/messaging/endpoints.py", line 273, in open
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     self.attach(timeout=timeout)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "<string>", line 6, in attach
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/qpid/messaging/endpoints.py", line 291, in attach
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     if not self._ewait(lambda: self._transport_connected and not self._unlinked(), timeout=timeout):
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/qpid/messaging/endpoints.py", line 224, in _ewait
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     self.check_error()
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/qpid/messaging/endpoints.py", line 217, in check_error
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     raise e
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent InternalError: Traceback (most recent call last):
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/qpid/messaging/driver.py", line 495, in dispatch
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     self.connect()
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/qpid/messaging/driver.py", line 522, in connect
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     self._transport = trans(self.connection, host, port)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/qpid/messaging/transports.py", line 28, in __init__
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     self.socket = connect(host, port)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/qpid/util.py", line 68, in connect
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     sock.connect(sa)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/eventlet/greenio.py", line 180, in connect
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     trampoline(fd, write=True)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/eventlet/hubs/__init__.py", line 119, in trampoline
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     listener = hub.add(hub.WRITE, fileno, current.switch)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/eventlet/hubs/epolls.py", line 52, in add
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     self.register(fileno, new=True)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/eventlet/hubs/poll.py", line 44, in register
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     self.poll.register(fileno, mask)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent IOError: [Errno 22] Invalid argument
    [. . .]


Expected results
----------------

neutron-dhcp-agent should starts successfully with SELinux in Enforcing.


Additional info
---------------

- Not all neutron /usr/bin/neutron-* files have neutron_exec_t:

    $ ls -lZ /usr/bin/neutron* 
    -rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/neutron
    -rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/neutron-db-manage
    -rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/neutron-debug
    -rwxr-xr-x. root root system_u:object_r:neutron_exec_t:s0 /usr/bin/neutron-dhcp-agent
    -rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/neutron-dhcp-setup
    -rwxr-xr-x. root root system_u:object_r:neutron_exec_t:s0 /usr/bin/neutron-l3-agent
    -rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/neutron-l3-setup
    -rwxr-xr-x. root root system_u:object_r:neutron_exec_t:s0 /usr/bin/neutron-lbaas-agent
    -rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/neutron-metadata-agent
    -rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/neutron-netns-cleanup
    -rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/neutron-node-setup
    -rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/neutron-ns-metadata-proxy
    -rwxr-xr-x. root root system_u:object_r:neutron_exec_t:s0 /usr/bin/neutron-openvswitch-agent
    -rwxr-xr-x. root root system_u:object_r:neutron_exec_t:s0 /usr/bin/neutron-ovs-cleanup
    -rwxr-xr-x. root root system_u:object_r:neutron_exec_t:s0 /usr/bin/neutron-rootwrap
    -rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/neutron-rootwrap-xen-dom0
    -rwxr-xr-x. root root system_u:object_r:neutron_exec_t:s0 /usr/bin/neutron-server
    -rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/neutron-server-setup
    -rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/neutron-usage-audit


- Workaround: Place SELinux in Permissive mode

    $ setenforce 0
    $ systemctl restart neutron-dhcp-agent
    $ systemctl status neutron-dhcp-agent


- Related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1024330

--- Additional comment from Kashyap Chamarthy on 2014-01-08 04:45:14 EST ---

Complete SELinux audit.log with raw AVC messages:

  http://kashyapc.fedorapeople.org/temp/audit.log
Comment 1 Miroslav Grepl 2014-01-08 11:36:12 UTC 
Fixed in selinux-policy-3.12.1-113.fc20
Comment 2 Lars Kellogg-Stedman 2014-01-08 18:51:45 UTC 
Created attachment 847302 [details]
audit.log containing AVC messages from an all-in-one RDO install on F20

With selinux-policy-3.12.1.113 installed:

  # rpm -q selinux-policy
  selinux-policy-3.12.1-113.fc20.noarch

Using a "packstack --allinone" install, I still get the following from "audit2allow -a":

#============= neutron_t ==============
allow neutron_t file_t:dir mounton;
allow neutron_t netutils_exec_t:file { read execute open execute_no_trans };
allow neutron_t root_t:dir mounton;
allow neutron_t self:capability { net_raw dac_override };
allow neutron_t self:netlink_route_socket nlmsg_write;
allow neutron_t self:packet_socket { bind create getattr };
allow neutron_t self:process setcap;
allow neutron_t sysctl_net_t:dir search;
allow neutron_t sysctl_net_t:file { write getattr open };
allow neutron_t sysfs_t:filesystem unmount;

#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow neutron_t unreserved_port_t:tcp_socket name_bind;
allow neutron_t var_run_t:dir mounton;
allow neutron_t var_run_t:file { read create open mounton };

#============= rsync_t ==============

#!!!! This avc can be allowed using the boolean 'rsync_full_access'
allow rsync_t var_lock_t:dir { write add_name };

#!!!! This avc can be allowed using the boolean 'rsync_full_access'
allow rsync_t var_lock_t:file { write create };

#============= swift_t ==============
allow swift_t file_t:dir { write getattr read create open add_name };
allow swift_t tmpfs_t:dir { write remove_name add_name };
allow swift_t tmpfs_t:file { write getattr link read create unlink open };
allow swift_t tmpfs_t:filesystem getattr;
allow swift_t xserver_port_t:tcp_socket name_bind;

I have attached the raw audit.log.  Obviously this covers more than just neutron.
Comment 3 Miroslav Grepl 2014-01-09 14:41:24 UTC 
We have ifconfig_var_run_t labeling for

/run/netns

but it was for 

ifconfig_domtrans(neutron_t)

case which we needed to change to ifconfig_exec(neutron). 

Did ifconfig access the /run/netns directory?

I think we need to change the label - neutron_var_run_t for example. Also not sure if we need all domain transition change to exec.
Comment 4 Lon Hohberger 2014-01-09 15:43:58 UTC 
The 'ip' command is what's used to set up network namespaces, so I assume it will certainly access /run/netns - but I've not checked.

The important thing is that /run/netns probably isn't right to be neutron_var_run_t, as it's possible to use network namespaces outside of neutron's usage.
Comment 5 Lon Hohberger 2014-01-09 15:57:17 UTC 
Yes, 'ip netns add/delete/etc' accesses /run/netns.  On F19 and prior (incl. RHEL6), it was accessing /var/run/netns.

On RHEL6/CentOS 6, you would not see this since neutron ran in an unconfined domain, IIRC.
Comment 6 Fedora End Of Life 2015-05-29 10:23:02 UTC 
This message is a reminder that Fedora 20 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 20. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '20'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 20 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 7 Fedora End Of Life 2015-06-30 00:50:08 UTC 
Fedora 20 changed to end-of-life (EOL) status on 2015-06-23. Fedora 20 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.