Bug 1072983

Summary:	Wrong SELinux policies set for neutron-dhcp-agent
Product:	[Fedora] Fedora	Reporter:	Miroslav Grepl <mgrepl>
Component:	selinux-policy	Assignee:	Lukas Vrabec <lvrabec>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	19	CC:	chrisw, dfv, dominick.grift, dwalsh, itamar, kchamart, lhh, lvrabec, mgrepl, p, yeylon
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	selinux-policy-3.12.1-74.26.fc19	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:	1024330	Environment:
Last Closed:	2014-06-27 02:23:22 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1024330
Bug Blocks:

Description Miroslav Grepl 2014-03-05 14:57:39 UTC

+++ This bug was initially created as a clone of Bug #1024330 +++

Description of problem:
Trying to start up the neutron-dhcp-agent fails because of SELinux. After setenforce 0 it starts correctly.

Version-Release number of selected component (if applicable):

How reproducible:
Always

Steps to Reproduce:
1.Start neutron-dhcp-agent in an openstack fresh install (with packstack).

Actual results:
neutron-dhcp-agent fails to start.


Expected results:
neutron-dhcp-agent should start correctly.


Additional info:
Verified in Fedora 19 Cloud Image with Openstack Havana (installed with packstack).

Relevant part of the logs attached. Because the output of audit2why is very verbose I attached only a small subset consisting of the first messages that seemed to have something to do with neutron-dhcp-agent. I can try to provide more info if needed.

--- Additional comment from Diogo Vieira on 2013-10-29 08:16:38 EDT ---



--- Additional comment from Diogo Vieira on 2013-10-29 08:17:09 EDT ---



--- Additional comment from Diogo Vieira on 2013-10-29 08:21:33 EDT ---

selinux-policy and selinux-policy-targeted versions are 3.12.1.

--- Additional comment from Kashyap Chamarthy on 2013-12-11 16:47:34 EST ---

Diogo, thanks for the report, a couple of things:

(1) You haven't specified complete NVR of the package you're using. You only specified version of package in comment #3 but not the revision number. Note that 3.12.1 can have a lot of *revisions* -- http://koji.fedoraproject.org/koji/packageinfo?packageID=32.

Next time, please specify full Name-Version-Release of a package. e.g. selinux-policy-3.12.1-74.10.fc19 (*if* that was the N-V-R that didn't work for you), so that it's easy to debug/narrow down issues.

  Friendly reminder: https://wiki.openstack.org/wiki/BugFilingRecommendations


(2) Can you try with latest selinux-policy and selinux-policy-targeted version packages for 6.4 in case you were using older ones?

(3) If you have time, it'll also be useful to generate a reference policy to narrow down specific AVC denials. A few commands you can try:


  # Enable SELinux
  $ setenforce 1

  # Clear your audit log
  $ > /var/log/audit/audit.log

  # Restart neutron-dhcp-agent
  $ systemctl restart neutron-dhcp-agent

  # Show a reference policy
  $ cat /var/log/audit/audit.log | audit2allow -R

And, if you're feeling more adventurous, you can even generate the policy by doing:

  # Generate an SELinux loadable module package
  $ audit2allow -a -M neutron                                      

  # Install the Policy Package
  $ semodule -i neutron.pp

  # Restart neutron-dhcp-agent again
  $ systemctl restart neutron-dhcp-agent

See if it alleviates your problem.

Ref: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html

Lon, please correct me if I said something wrong here.

--- Additional comment from Kashyap Chamarthy on 2013-12-11 16:49:31 EST ---


> 
> (2) Can you try with latest selinux-policy and selinux-policy-targeted
> version packages for 6.4 in case you were using older ones?

I meant, for F19.

--- Additional comment from Lon Hohberger on 2014-01-02 16:52:53 EST ---

neutron-dhcp-agent simply needs the right label - it should be neutron_exec_t; we shouldn't need specific policies for it.

--- Additional comment from Miroslav Grepl on 2014-01-06 09:04:45 EST ---

quantum.fc:/usr/bin/neutron-dhcp-agent     --  gen_context(system_u:object_r:neutron_exec_t,s0)

We need to back port all changes to F19. CC-ing Lukas.

--- Additional comment from Kashyap Chamarthy on 2014-02-19 07:52:46 EST ---

Ping, just a periodical combing through RDO bugs. 

Any update here?

Comment 1 Lukas Vrabec 2014-03-13 14:41:58 UTC

commit 4a9112d8bbf489fed23b4fe7216f5cdea010c692
Author: Lukas Vrabec <lvrabec>
Date:   Thu Mar 13 15:41:12 2014 +0100

    Backported quantum and neutron rules from rawhide

Comment 2 Fedora Update System 2014-03-21 14:36:21 UTC

selinux-policy-3.12.1-74.23.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.23.fc19

Comment 3 Fedora Update System 2014-03-22 05:09:39 UTC

Package selinux-policy-3.12.1-74.23.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.23.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-4216/selinux-policy-3.12.1-74.23.fc19
then log in and leave karma (feedback).

Comment 4 Fedora Update System 2014-05-07 16:26:16 UTC

selinux-policy-3.12.1-74.26.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.26.fc19

Comment 5 Fedora Update System 2014-06-27 02:23:22 UTC

selinux-policy-3.12.1-74.26.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.