Bug 1294420

Summary: selinux rejects Router Advertisement Daemon commands
Product: Red Hat OpenStack Reporter: bkopilov <bkopilov>
Component: openstack-selinuxAssignee: Ryan Hallisey <rhallise>
Status: CLOSED CURRENTRELEASE QA Contact: bkopilov <bkopilov>
Severity: high Docs Contact:
Priority: urgent    
Version: 8.0 (Liberty)CC: dnavale, jschluet, lhh, mburns, mgrepl, rhel-osp-director-maint, sclewis, srevivo
Target Milestone: gaKeywords: TestOnly, ZStream
Target Release: 8.0 (Liberty)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-selinux-0.6.51-1.el7ost Doc Type: Bug Fix
Doc Text:
Previously, IPv6 was unable to advertise the router advertisement deamon commands, resulting in SELinux rejecting the router advertisement commands and OpenStack Networking failing with errors. With this update, IPv6 is now allowed to advertise the router advertisement commands. As a result, OpenStack Networking runs without errors.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-23 18:19:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
audit.log.4 none

Description bkopilov 2015-12-28 07:23:58 UTC 
Description of problem:
rhel7.2 , rhos 8  , installed with openstack director.

There are selinux denies for ipv6 messages, 

/var/log/audit/audit.log.2:10668:type=AVC msg=audit(1451203693.469:240652): avc:  denied  { create } for  pid=6620 comm="su" scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket

IPV6 advertisment issues : 
/var/log/audit/audit.log.2:20275:type=AVC msg=audit(1451207012.915:246764): avc: denied { getattr } for pid=31616 comm="neutron-rootwra" path="/usr/sbin/radvd" dev="sda2" ino=1574747 scontext=system_u:system_r:neutron_t:s0 tcontext=unconfined_u:object_r:radvd_exec_t:s0 tclass=file



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
attaching selinux logs
Comment 2 bkopilov 2015-12-28 07:29:52 UTC 
Created attachment 1109964 [details]
audit.log.4
Comment 3 Ryan Hallisey 2016-01-13 17:32:25 UTC 
Can you re run this in permissive?  Those AVCs I don't think reveal the issue and the neutron one is already allowed.
Comment 4 Ryan Hallisey 2016-01-13 18:04:27 UTC 
Try this out. See if it fixes the issue.
Comment 11 bkopilov 2016-06-05 10:35:54 UTC 
Hi , 
Checked in post automation run with tempest.
I did not see /usr/sbin/radvd deny.

Benny