| Summary: | selinux rejects Router Advertisement Daemon commands | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | bkopilov <bkopilov> | ||||
| Component: | openstack-selinux | Assignee: | Ryan Hallisey <rhallise> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | bkopilov <bkopilov> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | urgent | ||||||
| Version: | 8.0 (Liberty) | CC: | dnavale, jschluet, lhh, mburns, mgrepl, rhel-osp-director-maint, sclewis, srevivo | ||||
| Target Milestone: | ga | Keywords: | TestOnly, ZStream | ||||
| Target Release: | 8.0 (Liberty) | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | openstack-selinux-0.6.51-1.el7ost | Doc Type: | Bug Fix | ||||
| Doc Text: |
Previously, IPv6 was unable to advertise the router advertisement deamon commands, resulting in SELinux rejecting the router advertisement commands and OpenStack Networking failing with errors.
With this update, IPv6 is now allowed to advertise the router advertisement commands. As a result, OpenStack Networking runs without errors.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2016-06-23 18:19:42 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
Created attachment 1109964 [details]
audit.log.4
Can you re run this in permissive? Those AVCs I don't think reveal the issue and the neutron one is already allowed. Try this out. See if it fixes the issue. Hi , Checked in post automation run with tempest. I did not see /usr/sbin/radvd deny. Benny |
Description of problem: rhel7.2 , rhos 8 , installed with openstack director. There are selinux denies for ipv6 messages, /var/log/audit/audit.log.2:10668:type=AVC msg=audit(1451203693.469:240652): avc: denied { create } for pid=6620 comm="su" scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket IPV6 advertisment issues : /var/log/audit/audit.log.2:20275:type=AVC msg=audit(1451207012.915:246764): avc: denied { getattr } for pid=31616 comm="neutron-rootwra" path="/usr/sbin/radvd" dev="sda2" ino=1574747 scontext=system_u:system_r:neutron_t:s0 tcontext=unconfined_u:object_r:radvd_exec_t:s0 tclass=file Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: attaching selinux logs