Bug 1083335

Summary: nova baremetal instances fail to find image to boot when selinux is set to enforcing
Product: [Fedora] Fedora Reporter: Richard Su <rwsu>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: ccrouch, dominick.grift, dwalsh, lvrabec, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-153.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-04-20 01:25:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
avc denials logged in permissive mode
none
instack.answers file used in undercloud install
none
deployrc file containing additional environment variables needed when deploying the overcloud
none
avc denials seen after neutron_t and /tftpfoot fixes in enforcing mode
none
avc denials seen after neutron_t and /tftpboot fixes in permissive mode
none
custom policies to fix avc denials none

Description Richard Su 2014-04-02 02:18:32 UTC 
Created attachment 881584 [details]
avc denials logged in permissive mode

Description of problem:
Within a tripleo-based instack-undercloud environment, nova baremetal instances fail to find an image to boot when selinux is set to enforcing mode. The instances are able to boot when selinux is set to permissive mode.

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-135.fc20.noarch
selinux-policy-targeted-3.12.1-135.fc20.noarch
openstack-neutron-2014.1-0.10.b3.fc21.noarch
openstack-neutron-openvswitch-2014.1-0.10.b3.fc21.noarch
iproute-3.12.0-2.fc20.x86_64
tftp-server-5.2-10.fc20.x86_64
dnsmasq-2.68-1.fc20.x86_64

How reproducible:
Always

Steps to Reproduce:
1. install instack-undercloud using instructions on https://github.com/agroup, use README-virt to setup your baremetal nodes and a instack vm. Afterwards I use the packages based install using the instack-undercloud source instead of the rpm. I will attach instack.answers and deployrc which are additional configuration files. The commands I run to install the undercloud and then deploy the overcloud are:
sudo yum -y install http://repos.fedorapeople.org/repos/openstack-m/openstack-m/openstack-m-release-icehouse-2.noarch.rpm
sudo yum -y install yum-utils git
sudo yum-config-manager --enable fedora-openstack-m-testing
[ -d instack-undercloud ] || git clone https://github.com/agroup/instack-undercloud -b selinux
sed -i 's/\/usr\/share\/instack-undercloud\/json/instack-undercloud\/json/g' instack-undercloud/scripts/instack-install-undercloud-packages
sed -i 's/\/usr\/share\/instack-undercloud/instack-undercloud\/elements/g' instack-undercloud/scripts/instack-install-undercloud-packages
export PATH=instack-undercloud/scripts:$PATH
sudo yum -y install instack
instack-install-undercloud-packages
sudo tuskar-dbsync --config-file /etc/tuskar/tuskar.conf
sudo service openstack-tuskar-api restart
instack-prepare-for-overcloud
source deployrc
instack-deploy-overcloud

Actual results:
baremetal nodes fail to boot when selinux is enforcing

Expected results:
baremetal nodes should boot and instack-deploy-overcloud should complete successfully when selinux is enforcing

Additional info:
Comment 1 Richard Su 2014-04-02 02:22:22 UTC 
Created attachment 881586 [details]
instack.answers file used in undercloud install

Usually only need to change VIRTUAL_POWER_USER, VIRTUAL_POWER_HOST, and SSH_KEY to match your environment.
Comment 2 Richard Su 2014-04-02 02:23:21 UTC 
Created attachment 881587 [details]
deployrc file containing additional environment variables needed when deploying the overcloud

Usually only need to change MACS to match your environment.
Comment 3 Miroslav Grepl 2014-04-02 08:54:58 UTC 
commit e95d2ee0354f1186f06a2b7f5e331edcee9fe318
Author: Miroslav Grepl <mgrepl>
Date:   Wed Apr 2 10:51:46 2014 +0200

    Add additional fixes for neutron_t. #1083335
Comment 4 Richard Su 2014-04-03 05:44:55 UTC 
The additional fixes for neutron_t plus relabeling /tftpboot eliminates the avc denials I was seeing before when selinux is set to permissive mode. So thank you for the quick turn around.

But when selinux is set to enforcing I see additional denials. It happens less than half of the time when I startup the instances and didn't affect all the instances. I will post them as an attachment here. 

In permissive mode I did notice one other denial when the baremetal instances are shutdown. I will attach the audit log too.
Comment 5 Richard Su 2014-04-03 05:46:39 UTC 
Created attachment 882086 [details]
avc denials seen after neutron_t and /tftpfoot fixes in enforcing mode
Comment 6 Richard Su 2014-04-03 05:47:26 UTC 
Created attachment 882087 [details]
avc denials seen after neutron_t and /tftpboot fixes in permissive mode
Comment 7 Miroslav Grepl 2014-04-03 13:41:20 UTC 
Try to add a local policy

1. Re-test in permissive
2. ausearch -m avc -ts recent |audit2allow -M mypol
3. semodule -i mypol.pp

and re-test again in enforcing.
Comment 8 Richard Su 2014-04-03 18:14:47 UTC 
Hi Miroslav, 

I added a few custom policies and they have eliminated the avc denials. I will upload them in an attachment. Can we have them incorporated into the next selinux policy package update?

Thanks.
Comment 9 Richard Su 2014-04-03 18:16:00 UTC 
Created attachment 882398 [details]
custom policies to fix avc denials
Comment 10 Miroslav Grepl 2014-04-04 07:35:30 UTC 
commit effbcb0850772b84d39fadc3da4dc81f50643a4c
Author: Miroslav Grepl <mgrepl>
Date:   Fri Apr 4 09:35:19 2014 +0200

    Allow net_raw cap for neutron_t and send sigkill to dnsmasq
Comment 11 Richard Su 2014-04-04 21:21:06 UTC 
I see it got incorporated into http://koji.fedoraproject.org/koji/buildinfo?buildID=509270. Thank you.
Comment 12 Fedora Update System 2014-04-08 04:49:08 UTC 
selinux-policy-3.12.1-152.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-152.fc20
Comment 13 Fedora Update System 2014-04-09 13:16:55 UTC 
Package selinux-policy-3.12.1-152.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-152.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-4933/selinux-policy-3.12.1-152.fc20
then log in and leave karma (feedback).
Comment 14 Fedora Update System 2014-04-14 22:42:32 UTC 
Package selinux-policy-3.12.1-153.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-153.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-4933/selinux-policy-3.12.1-153.fc20
then log in and leave karma (feedback).
Comment 15 Fedora Update System 2014-04-20 01:25:18 UTC 
selinux-policy-3.12.1-153.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.