Bug 1352710
| Summary: | SELinux is preventing creation of vpnaas in openstack | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Peter Schiffer <pschiffe> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.2 | CC: | lvrabec, mgrepl, mmalik, plautrba, pschiffe, pvrabec, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-87.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-04 02:33:45 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2283.html |
Description of problem: SELinux is preventing creation of vpnaas in openstack Version-Release number of selected component (if applicable): rpm -q openstack-neutron-vpnaas python-neutron-vpnaas selinux-policy openstack-neutron-vpnaas-8.0.0-1.el7.noarch python-neutron-vpnaas-8.0.0-1.el7.noarch selinux-policy-3.13.1-60.el7_2.7.noarch How reproducible: always Steps to Reproduce: $ neutron vpn-ikepolicy-create ikepolicy1 $ neutron vpn-ipsecpolicy-create ipsecpolicy1 $ neutron vpn-service-create --name myvpn --description "My vpn service" router1 mysubnet $ neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.233 --peer-id 172.24.4.233 --peer-cidr 10.2.0.0/24 --psk secret Actual results: Last command fails Expected results: Last command succeeds Additional info: $ cat /var/log/neutron/vpn-agent.log 2016-07-04 21:51:16.070 25850 ERROR neutron.agent.linux.utils [req-13e5d57d-f9e2-4e38-9fc6-6964c8d0ef42 4b604f081fea4ae5a42fa3f9f4295d60 238c62b3ca9f403e9c5330b20b7fbb87 - - -] Exit code: 1; Stdin: ; Stdout: ; Stderr: chown: changing ownership of ‘/var/lib/neutron/ipsec/d067e798-3333-4a03-b61e-82c61173d2fb/etc/ipsec.secrets’: Operation not permitted 2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec [req-13e5d57d-f9e2-4e38-9fc6-6964c8d0ef42 4b604f081fea4ae5a42fa3f9f4295d60 238c62b3ca9f403e9c5330b20b7fbb87 - - -] Failed to enable vpn process on router d067e798-3333-4a03-b61e-82c61173d2fb 2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Traceback (most recent call last): 2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 289, in enable 2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec self.ensure_configs() 2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py", line 51, in ensure_configs 2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec secrets_file]) 2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 396, in _execute 2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec extra_ok_codes=extra_ok_codes) 2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/site-packages/neutron/agent/linux/ip_lib.py", line 927, in execute 2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec log_fail_as_error=log_fail_as_error, **kwargs) 2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec File "/usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py", line 140, in execute 2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec raise RuntimeError(msg) 2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec RuntimeError: Exit code: 1; Stdin: ; Stdout: ; Stderr: chown: changing ownership of \u2018/var/lib/neutron/ipsec/d067e798-3333-4a03-b61e-82c61173d2fb/etc/ipsec.secrets\u2019: Operation not permitted $ ausearch -a 26152 -i ---- type=SYSCALL msg=audit(07/04/2016 21:51:16.065:26152) : arch=x86_64 syscall=fchown success=no exit=-1(Operation not permitted) a0=0x3 a1=0x0 a2=0x0 a3=0x7ffdd69f6490 items=0 ppid=9350 pid=1556 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chown exe=/usr/bin/chown subj=system_u:system_r:neutron_t:s0 key=(null) type=AVC msg=audit(07/04/2016 21:51:16.065:26152) : avc: denied { chown } for pid=1556 comm=chown capability=chown scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=capability Temporary workaround: $ semanage permissive -a neutron_t