Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1176830

Summary: RHOS5 with RHEL7.1 : selinux denied on neutron-ns-meta
Product: Red Hat OpenStack Reporter: bkopilov <bkopilov>
Component: openstack-selinuxAssignee: Ryan Hallisey <rhallise>
Status: CLOSED ERRATA QA Contact: yeylon <yeylon>
Severity: high Docs Contact:
Priority: high    
Version: 5.0 (RHEL 7)CC: jschluet, lhh, mgrepl, sasha, srevivo, yeylon
Target Milestone: z5Keywords: OtherQA, Triaged, ZStream
Target Release: 5.0 (RHEL 7)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-selinux-0.6.37-1.el7ost Doc Type: Bug Fix
Doc Text:
Prior to this update, SELinux was preventing neutron from using the file system. As a consequence, neutron failed to run. Now, an appropriate rule has been added to SELinux, which allows neutron to run with SELinux in enforcing mode.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-09-10 11:46:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description bkopilov 2014-12-23 12:35:01 UTC 
Description of problem:
Running rhel7.1 with rhos5 .

From audit.log :

11:21:30 10.35.182.167|check_errors_post_test<<<--|14505:type=AVC msg=audit(1419326478.236:14309): avc:  denied  { getattr } for  pid=32013 comm="neutron-ns-meta" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem


Attaching full log file from automation run ,

Thanks , 
Benny

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 5 Lon Hohberger 2015-08-27 17:22:51 UTC 
[root@rhel7 ~]# audit2why -i tmp.in
type=AVC msg=audit(1419326478.236:14309): avc:  denied  { getattr } for  pid=32013 comm="neutron-ns-meta" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem

	Was caused by:
		Unknown - would be allowed by active policy
		Possible mismatch between this policy and the one under which the audit message was generated.

		Possible mismatch between current in-memory boolean settings vs. permanent ones.

[root@rhel7 ~]# rpm -q openstack-selinux
openstack-selinux-0.6.37-1.el7ost.noarch
Comment 6 Lon Hohberger 2015-08-27 17:23:27 UTC 
IOW, the current policies address this on RHEL 7.1
Comment 7 Lon Hohberger 2015-08-27 17:24:33 UTC 
Note: 0.6.37 has not been released on RHEL OSP 5 for RHEL 7.
Comment 10 Lon Hohberger 2015-09-02 19:40:10 UTC 
Verified re: comment #5
Comment 12 errata-xmlrpc 2015-09-10 11:46:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1762.html