Bug 1150900

Summary: selinux prevents openstack-neutron openvswitch agent to access dbus-daemon
Product: [Fedora] Fedora Reporter: Matthias Runge <mrunge>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dominick.grift, dwalsh, lvrabec, mgrepl, plautrba
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-86.fc22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-13 12:14:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matthias Runge 2014-10-09 07:10:06 UTC 
Description of problem:



type=USER_AVC msg=audit(1412838148.137:4935): pid=964 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=11816 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1412838150.149:4941): pid=964 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=11836 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'


and in 

/var/log/neutron/openvswitch-agent.log:
2014-10-09 09:02:32.130 3149 CRITICAL neutron [req-6e4b5b7c-7aa2-4be8-b792-4f8b1244de95 None] AssertionError: Trying to re-send() an already-triggered event.
2014-10-09 09:02:32.130 3149 TRACE neutron Traceback (most recent call last):
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/bin/neutron-openvswitch-agent", line 10, in <module>
2014-10-09 09:02:32.130 3149 TRACE neutron     sys.exit(main())
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py", line 1632, in main
2014-10-09 09:02:32.130 3149 TRACE neutron     agent.daemon_loop()
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py", line 1559, in daemon_loop
2014-10-09 09:02:32.130 3149 TRACE neutron     self.rpc_loop(polling_manager=pm)
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib64/python2.7/contextlib.py", line 24, in __exit__
2014-10-09 09:02:32.130 3149 TRACE neutron     self.gen.next()
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/agent/linux/polling.py", line 39, in get_polling_manager
2014-10-09 09:02:32.130 3149 TRACE neutron     pm.stop()
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/agent/linux/polling.py", line 106, in stop
2014-10-09 09:02:32.130 3149 TRACE neutron     self._monitor.stop()
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/agent/linux/async_process.py", line 89, in stop
2014-10-09 09:02:32.130 3149 TRACE neutron     self._kill()
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/agent/linux/ovsdb_monitor.py", line 99, in _kill
2014-10-09 09:02:32.130 3149 TRACE neutron     super(SimpleInterfaceMonitor, self)._kill(*args, **kwargs)
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/agent/linux/async_process.py", line 116, in _kill
2014-10-09 09:02:32.130 3149 TRACE neutron     self._kill_event.send()
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib/python2.7/site-packages/eventlet/event.py", line 155, in send
2014-10-09 09:02:32.130 3149 TRACE neutron     assert self._result is NOT_USED, 'Trying to re-send() an already-triggered event.'
2014-10-09 09:02:32.130 3149 TRACE neutron AssertionError: Trying to re-send() an already-triggered event.


Turning selinux to permissive fixes this issue.
selinux-policy-3.12.1-188.fc20.noarch
2014-10-09 09:02:32.130 3149 CRITICAL neutron [req-6e4b5b7c-7aa2-4be8-b792-4f8b1244de95 None] AssertionError: Trying to re-send() an already-triggered event.
2014-10-09 09:02:32.130 3149 TRACE neutron Traceback (most recent call last):
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/bin/neutron-openvswitch-agent", line 10, in <module>
2014-10-09 09:02:32.130 3149 TRACE neutron     sys.exit(main())
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py", line 1632, in main
2014-10-09 09:02:32.130 3149 TRACE neutron     agent.daemon_loop()
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py", line 1559, in daemon_loop
2014-10-09 09:02:32.130 3149 TRACE neutron     self.rpc_loop(polling_manager=pm)
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib64/python2.7/contextlib.py", line 24, in __exit__
2014-10-09 09:02:32.130 3149 TRACE neutron     self.gen.next()
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/agent/linux/polling.py", line 39, in get_polling_manager
2014-10-09 09:02:32.130 3149 TRACE neutron     pm.stop()
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/agent/linux/polling.py", line 106, in stop
2014-10-09 09:02:32.130 3149 TRACE neutron     self._monitor.stop()
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/agent/linux/async_process.py", line 89, in stop
2014-10-09 09:02:32.130 3149 TRACE neutron     self._kill()
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/agent/linux/ovsdb_monitor.py", line 99, in _kill
2014-10-09 09:02:32.130 3149 TRACE neutron     super(SimpleInterfaceMonitor, self)._kill(*args, **kwargs)
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/agent/linux/async_process.py", line 116, in _kill
2014-10-09 09:02:32.130 3149 TRACE neutron     self._kill_event.send()
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib/python2.7/site-packages/eventlet/event.py", line 155, in send
2014-10-09 09:02:32.130 3149 TRACE neutron     assert self._result is NOT_USED, 'Trying to re-send() an already-triggered event.'
2014-10-09 09:02:32.130 3149 TRACE neutron AssertionError: Trying to re-send() an already-triggered event.


turning selinux to permissive, fixes this issue
selinux-policy-3.12.1-188.fc20.noarch
openvswitch-2.3.0-1.fc20.x86_64
openstack-neutron-2014.2-0.7.b3.fc22.noarch
Comment 1 Miroslav Grepl 2014-10-13 12:14:47 UTC 
commit d96ba4a9d02ecba2c3b1b7233be3d39fcdfd3335
Author: Miroslav Grepl <mgrepl>
Date:   Mon Oct 13 14:14:12 2014 +0200

    Allow neutron connections to system dbus.
Comment 2 Matthias Runge 2014-10-14 08:46:06 UTC 
Could you please backport this to f20 as well? F20+ is our testbed for RDO packages (consuming packages from rawhide)
Comment 3 Lukas Vrabec 2014-11-07 11:26:58 UTC 
commit d96ba4a9d02ecba2c3b1b7233be3d39fcdfd3335
Author: Miroslav Grepl <mgrepl>
Date:   Mon Oct 13 14:14:12 2014 +0200

    Allow neutron connections to system dbus.

This is already fixed in F20.