Bug 1195214
| Summary: | SELinux enabled causes Neutron network interfaces to fail to start | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Richard W.M. Jones <rjones> |
| Component: | openstack-selinux | Assignee: | Ryan Hallisey <rhallise> |
| Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | yeylon <yeylon> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | unspecified | CC: | aortega, lhh, mgrepl, srevivo, yeylon |
| Target Milestone: | --- | Keywords: | ZStream |
| Target Release: | 7.0 (Kilo) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-11-24 10:37:11 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1175340 | ||
(In reply to Richard W.M. Jones from comment #0) > Description of problem: > > If you run packstack with SELinux enabled, then Neutron > fails to initialize correctly. You only see the loopback > interface: > > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > valid_lft forever preferred_lft forever > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > > When I started a fresh packstack run with SELinux set to > permissive, I see the full set of interfaces. > > audit2allow recommends: > > #============= neutron_t ============== > allow neutron_t unlabeled_t:file { read open }; We would need to see raw AVCs to check if it is a kernel issue or a bad labeling. > > (I'm afraid I no longer have the original audit logs so I > don't know exactly what file is unlabelled). > > Version-Release number of selected component (if applicable): > > openstack-packstack-2014.2-0.15.dev1401.gdd19d48.aa7a.noarch > openstack-selinux-0.6.17-1.aa7a.noarch > > How reproducible: > > Several times. > > Steps to Reproduce: > 1. Run packstack, multinode with default (Neutron) network configuration. > > Additional info: > > Longer explanation by Lars K-S here: > http://post-office.corp.redhat.com/archives/rh-openstack-dev/2015-February/ > msg00457.html |
Description of problem: If you run packstack with SELinux enabled, then Neutron fails to initialize correctly. You only see the loopback interface: 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever When I started a fresh packstack run with SELinux set to permissive, I see the full set of interfaces. audit2allow recommends: #============= neutron_t ============== allow neutron_t unlabeled_t:file { read open }; (I'm afraid I no longer have the original audit logs so I don't know exactly what file is unlabelled). Version-Release number of selected component (if applicable): openstack-packstack-2014.2-0.15.dev1401.gdd19d48.aa7a.noarch openstack-selinux-0.6.17-1.aa7a.noarch How reproducible: Several times. Steps to Reproduce: 1. Run packstack, multinode with default (Neutron) network configuration. Additional info: Longer explanation by Lars K-S here: http://post-office.corp.redhat.com/archives/rh-openstack-dev/2015-February/msg00457.html