Bug 1365653

Summary: Failure to configure team with ifcfg
Product: Red Hat Enterprise Linux 7 Reporter: Amit Supugade <asupugad>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: urgent Docs Contact: Mirek Jahoda <mjahoda>
Priority: urgent    
Version: 7.3CC: asupugad, dapospis, jaster, lvrabec, lxin, mgrepl, mjahoda, mleitner, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-95.el7 Doc Type: Bug Fix
Doc Text:
It is not known issue anymore, fixed in selinux-policy-3.13.1-95.el7
 Story Points: ---
Clone Of:
: 1367180 (view as bug list) Environment:
Last Closed: 2016-11-04 02:36:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1366991, 1367180    

Description Amit Supugade 2016-08-09 18:30:08 UTC 
Description of problem:
Failure to configure team with ifcfg

Version-Release number of selected component (if applicable):
libteam-1.25-2.el7.x86_64
teamd-1.25-2.el7.x86_64


How reproducible:
Always

Steps to Reproduce:
1.
cat <<-EOF > /etc/sysconfig/network-scripts/ifcfg-enp7s0f0
DEVICE=enp7s0f0
ONBOOT=no
TEAM_MASTER=team0
EOF

2.
cat <<-EOF > /etc/sysconfig/network-scripts/ifcfg-enp7s0f1
DEVICE=enp7s0f1
ONBOOT=no
TEAM_MASTER=team0
EOF

3.
cat <<-EOF > /etc/sysconfig/network-scripts/ifcfg-team0
DEVICE=team0
ONBOOT=no
BOOTPROTO=none
IPADDR=192.168.23.11
NETMASK=255.255.255.0
TEAM_CONFIG='{"runner": {"name": "activebackup"}, "link_watch": {"name": "ethtool"}}'
EOF

4.
ifup team0


Actual results:
ifup team0
Error: Connection activation failed: No suitable device found for this connection.

Expected results:
team device should become available

Additional info:
Comment 12 Milos Malik 2016-08-18 14:59:29 UTC 
The /run/teamd/team0.conf file is mislabeled. Following command will fix it:

# restorecon -Rv /run/teamd

Does the scenario work now?
Comment 13 Marcelo Ricardo Leitner 2016-08-18 15:01:29 UTC 
(In reply to Milos Malik from comment #12)
> The /run/teamd/team0.conf file is mislabeled. Following command will fix it:

Sorry for my ignorance on the topic but assuming that's it, how can we avoid this? Was the file created in a wrong way?
Comment 14 Milos Malik 2016-08-18 15:09:09 UTC 
We have to find out which process created the /run/teamd directory and which process created the team0.conf file. Files inside /run/teamd directory should inherit the same SELinux label unless selinux-policy tells otherwise. Did it happen on a clean machine?
Comment 15 Xin Long 2016-08-18 15:58:06 UTC 
(In reply to Milos Malik from comment #14)
> We have to find out which process created the /run/teamd directory and which
> process created the team0.conf file. Files inside /run/teamd directory
> should inherit the same SELinux label unless selinux-policy tells otherwise.
> Did it happen on a clean machine?

Hi, Milos

When we run "ifup team0", the current shell process calls:
/etc/sysconfig/network-scripts/ifup-Team, in it:

	mkdir -p /run/teamd/  || exit 1
	echo "${TEAM_CONFIG}" > /run/teamd/${DEVICE}.conf  || exit 1
	/usr/bin/systemctl start teamd@${DEVICE}.service  || exit 1 <----[1]

(${DEVICE} is team0 here)

So current shell process create this directory and file.
ls -Z "/run/teamd/team0.conf"
-rw-r--r--. root root unconfined_u:object_r:var_run_t:s0 /run/teamd/team0.conf

However, [1] will send a request to systemd, then
systemd process starts teamd daemon with:
/usr/bin/teamd -U -D -o -t %i -f /run/teamd/%i.conf
(%i is team0 here)

So systemd process access this file.

[root@localhost ~]# ps axZ |grep systemd
system_u:system_r:init_t:s0         1 ?        Ss     0:20 /usr/lib/systemd/systemd --switched-root --system --deserialize 21

---------
If we config "BOOT=yes" in team configuration, it works fine, as network service
call ifup-Team and create the directory and the file when system is booting.

But if we config "BOOT=no" in team configuration, network will not call it.then
we may use ifup team0 to start it manually in an shell terminal, then this issue
is triggered.
Comment 16 Amit Supugade 2016-08-18 17:11:22 UTC 
(In reply to Milos Malik from comment #12)
> The /run/teamd/team0.conf file is mislabeled. Following command will fix it:
> 
> # restorecon -Rv /run/teamd
> 
> Does the scenario work now?
This command did not fix it. I saw the same behaviour as before.
Comment 17 Milos Malik 2016-08-18 21:02:15 UTC 
Which version of selinux-policy do you have on your machine?

# rpm -qa selinux-policy\*
Comment 18 Amit Supugade 2016-08-18 21:07:49 UTC 
(In reply to Milos Malik from comment #17)
> Which version of selinux-policy do you have on your machine?
> 
> # rpm -qa selinux-policy\*

[root@sam ~]# rpm -qa selinux-policy\*
selinux-policy-targeted-3.13.1-93.el7.noarch
selinux-policy-3.13.1-93.el7.noarch
Comment 19 Milos Malik 2016-08-18 21:32:47 UTC 
There is one test case among selinux-policy tests which is dedicated to teamd:
* /CoreOS/selinux-policy/Regression/teamd-and-similar

The /run/teamd directory did not exist on my VMs before running the test case. After running the test case I see following. The directory is labeled correctly.

# rpm -qf /run/teamd/
file /run/teamd is not owned by any package
# ls -dZ /run/teamd/
drwxr-xr-x. root root system_u:object_r:NetworkManager_var_run_t:s0 /run/teamd/
#

Could you remove the /run/teamd directory first, run your scenario and then provide output of following commands?

# ls -Z /run/teamd
Comment 20 Amit Supugade 2016-08-18 21:43:28 UTC 
(In reply to Milos Malik from comment #19)
> There is one test case among selinux-policy tests which is dedicated to
> teamd:
> * /CoreOS/selinux-policy/Regression/teamd-and-similar
> 
> The /run/teamd directory did not exist on my VMs before running the test
> case. After running the test case I see following. The directory is labeled
> correctly.
> 
> # rpm -qf /run/teamd/
> file /run/teamd is not owned by any package
> # ls -dZ /run/teamd/
> drwxr-xr-x. root root system_u:object_r:NetworkManager_var_run_t:s0
> /run/teamd/
> #
> 
> Could you remove the /run/teamd directory first, run your scenario and then
> provide output of following commands?
> 
> # ls -Z /run/teamd
Here is the output of the command as requested-
[root@sam run]# ls -Z /run/teamd
-rw-r--r--. root root system_u:object_r:NetworkManager_var_run_t:s0 team0.pid
srwx------. root root system_u:object_r:NetworkManager_var_run_t:s0 team0.sock
Comment 21 Xin Long 2016-08-19 06:50:36 UTC 
Hi
(In reply to Milos Malik from comment #19)
> There is one test case among selinux-policy tests which is dedicated to
> teamd:
> * /CoreOS/selinux-policy/Regression/teamd-and-similar
> 
> The /run/teamd directory did not exist on my VMs before running the test
> case. After running the test case I see following. The directory is labeled
> correctly.
> 
> # rpm -qf /run/teamd/
> file /run/teamd is not owned by any package
> # ls -dZ /run/teamd/
> drwxr-xr-x. root root system_u:object_r:NetworkManager_var_run_t:s0
> /run/teamd/
> #
> 
> Could you remove the /run/teamd directory first, run your scenario and then
> provide output of following commands?
> 
> # ls -Z /run/teamd
Pls disable NM, this issue happens without NM.
Comment 22 Xin Long 2016-08-19 06:53:12 UTC 
(In reply to Amit Supugade from comment #20)
> (In reply to Milos Malik from comment #19)
> > There is one test case among selinux-policy tests which is dedicated to
> > teamd:
> > * /CoreOS/selinux-policy/Regression/teamd-and-similar
> > 
> > The /run/teamd directory did not exist on my VMs before running the test
> > case. After running the test case I see following. The directory is labeled
> > correctly.
> > 
> > # rpm -qf /run/teamd/
> > file /run/teamd is not owned by any package
> > # ls -dZ /run/teamd/
> > drwxr-xr-x. root root system_u:object_r:NetworkManager_var_run_t:s0
> > /run/teamd/
> > #
> > 
> > Could you remove the /run/teamd directory first, run your scenario and then
> > provide output of following commands?
> > 
> > # ls -Z /run/teamd
> Here is the output of the command as requested-
> [root@sam run]# ls -Z /run/teamd
> -rw-r--r--. root root system_u:object_r:NetworkManager_var_run_t:s0 team0.pid
> srwx------. root root system_u:object_r:NetworkManager_var_run_t:s0
> team0.sock

without NM, it should be:
ls -Z "/run/teamd/team0.conf"
-rw-r--r--. root root unconfined_u:object_r:var_run_t:s0 /run/teamd/team0.conf
                 -----^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Comment 23 Miroslav Grepl 2016-08-22 09:34:00 UTC 
Milos,
are you able to reproduce it?
Comment 24 Miroslav Grepl 2016-08-22 09:36:24 UTC 
Guys,
how is /run/teamd created?
Comment 25 Xin Long 2016-08-22 10:24:53 UTC 
(In reply to Miroslav Grepl from comment #24)
> Guys,
> how is /run/teamd created?

Miroslav, pls check c15 .
Comment 26 Miroslav Grepl 2016-08-22 14:00:00 UTC 
Ok, I overlooked. Thanks.

So it happens because of


>But if we config "BOOT=no" in team configuration, network will not call it.then
>we may use ifup team0 to start it manually in an shell terminal, then this issue
>is triggered.

Could you please test it with the following local policy?

$ cat mypol.cil
(typetransition unconfined_t var_run_t dir "teamd" NetworkManager_var_run_t)
# semodule -i mypol.cil

to see if it works correctly?

Thank you.
Comment 27 Jaroslav Aster 2016-08-22 14:22:42 UTC 
Hi,

today, I found out same issue in my test, but only on aarch64. Other architectures work fine. I use nmcli in my test, but it fails without nmcli too.

# rpm -q selinux-policy kernel
selinux-policy-3.13.1-93.el7.noarch
kernel-4.5.0-3.el7.aarch64

# ausearch -m avc -m user_avc -m selinux_err -i -ts recent
<no matches>

# nmcli connection add con-name teamTest ifname teamTest type team config '{"runner": {"name": "activebackup"}}'
Connection 'teamTest' (effd6db2-5189-4c69-ba1e-ce67a76c75b4) successfully added.

# ausearch -m avc -m user_avc -m selinux_err -i -ts recent
----
type=PROCTITLE msg=audit(08/22/2016 10:05:51.376:449) : proctitle=/usr/bin/teamd -o -n -U -D -N -t teamTest -c {"runner": {"name": "activebackup"}} 
type=SYSCALL msg=audit(08/22/2016 10:05:51.376:449) : arch=aarch64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=chaos a3=0x3fff1deae30 items=0 ppid=764 pid=28763 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=teamd exe=/usr/bin/teamd subj=system_u:system_r:NetworkManager_t:s0 key=(null) 
type=AVC msg=audit(08/22/2016 10:05:51.376:449) : avc:  denied  { create } for  pid=28763 comm=teamd scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=netlink_generic_socket permissive=0 
----
type=PROCTITLE msg=audit(08/22/2016 10:05:51.716:450) : proctitle=/usr/bin/teamd -o -n -U -D -N -t teamTest -c {"runner": {"name": "activebackup"}} 
type=SYSCALL msg=audit(08/22/2016 10:05:51.716:450) : arch=aarch64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=chaos a3=0x3ffd7e99200 items=0 ppid=764 pid=28767 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=teamd exe=/usr/bin/teamd subj=system_u:system_r:NetworkManager_t:s0 key=(null) 
type=AVC msg=audit(08/22/2016 10:05:51.716:450) : avc:  denied  { create } for  pid=28767 comm=teamd scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=netlink_generic_socket permissive=0 
----
type=PROCTITLE msg=audit(08/22/2016 10:05:52.047:451) : proctitle=/usr/bin/teamd -o -n -U -D -N -t teamTest -c {"runner": {"name": "activebackup"}} 
type=SYSCALL msg=audit(08/22/2016 10:05:52.047:451) : arch=aarch64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=chaos a3=0x3fffbd6f2e0 items=0 ppid=764 pid=28771 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=teamd exe=/usr/bin/teamd subj=system_u:system_r:NetworkManager_t:s0 key=(null) 
type=AVC msg=audit(08/22/2016 10:05:52.047:451) : avc:  denied  { create } for  pid=28771 comm=teamd scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=netlink_generic_socket permissive=0 
----
type=PROCTITLE msg=audit(08/22/2016 10:05:52.382:452) : proctitle=/usr/bin/teamd -o -n -U -D -N -t teamTest -c {"runner": {"name": "activebackup"}} 
type=SYSCALL msg=audit(08/22/2016 10:05:52.382:452) : arch=aarch64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=chaos a3=0x3ffc9913c40 items=0 ppid=764 pid=28775 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=teamd exe=/usr/bin/teamd subj=system_u:system_r:NetworkManager_t:s0 key=(null) 
type=AVC msg=audit(08/22/2016 10:05:52.382:452) : avc:  denied  { create } for  pid=28775 comm=teamd scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=netlink_generic_socket permissive=0
Comment 28 Amit Supugade 2016-08-22 15:36:25 UTC 
(In reply to Miroslav Grepl from comment #26)
> Ok, I overlooked. Thanks.
> 
> So it happens because of
> 
> 
> >But if we config "BOOT=no" in team configuration, network will not call it.then
> >we may use ifup team0 to start it manually in an shell terminal, then this issue
> >is triggered.
> 
> Could you please test it with the following local policy?
> 
> $ cat mypol.cil
> (typetransition unconfined_t var_run_t dir "teamd" NetworkManager_var_run_t)
> # semodule -i mypol.cil
> 
> to see if it works correctly?
> 
> Thank you.

Hi,
I tried with the local policy and it worked fine. Log below-

[root@robin ~]# cat mypol.cil
(typetransition unconfined_t var_run_t dir "teamd" NetworkManager_var_run_t)
[root@robin ~]# systemctl status NetworkManager
● NetworkManager.service - Network Manager
   Loaded: loaded (/usr/lib/systemd/system/NetworkManager.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Mon 2016-08-22 11:33:10 EDT; 2s ago
     Docs: man:NetworkManager(8)
 Main PID: 817 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/NetworkManager.service
           └─879 /sbin/dhclient -d -q -sf /usr/libexec/nm-dhcp-helper -pf /var/run/dhclient-enp5s0f0.pid -lf /var/lib/NetworkManager/dhclient-0bb2b557-70e0-4f3f-b3d2-4c4335f91...

Aug 22 11:26:58 robin.knqe.lab.eng.bos.redhat.com NetworkManager[817]: <info>  [1471879618.5664] device (enp7s0f0): link disconnected
Aug 22 11:26:58 robin.knqe.lab.eng.bos.redhat.com NetworkManager[817]: <info>  [1471879618.5671] device (enp7s0f1): link disconnected
Aug 22 11:31:03 robin.knqe.lab.eng.bos.redhat.com NetworkManager[817]: <info>  [1471879863.1986] device (enp7s0f1): link connected
Aug 22 11:31:04 robin.knqe.lab.eng.bos.redhat.com NetworkManager[817]: <info>  [1471879864.2008] device (enp7s0f1): link disconnected
Aug 22 11:31:28 robin.knqe.lab.eng.bos.redhat.com NetworkManager[817]: <info>  [1471879888.3075] device (enp7s0f1): link connected
Aug 22 11:31:29 robin.knqe.lab.eng.bos.redhat.com NetworkManager[817]: <info>  [1471879889.2921] device (enp7s0f0): link connected
Aug 22 11:33:10 robin.knqe.lab.eng.bos.redhat.com systemd[1]: Stopping Network Manager...
Aug 22 11:33:10 robin.knqe.lab.eng.bos.redhat.com NetworkManager[817]: <info>  [1471879990.2194] caught SIGTERM, shutting down normally.
Aug 22 11:33:10 robin.knqe.lab.eng.bos.redhat.com NetworkManager[817]: <info>  [1471879990.2227] exiting (success)
Aug 22 11:33:10 robin.knqe.lab.eng.bos.redhat.com systemd[1]: Stopped Network Manager.
[root@robin ~]# 
[root@robin ~]# semodule -i mypol.cil
[root@robin ~]# cat <<-EOF > /etc/sysconfig/network-scripts/ifcfg-enp7s0f0
> DEVICE=enp7s0f0
> ONBOOT=no
> TEAM_MASTER=team0
> EOF
[root@robin ~]# 
[root@robin ~]# cat <<-EOF > /etc/sysconfig/network-scripts/ifcfg-enp7s0f1
> DEVICE=enp7s0f1
> ONBOOT=no
> TEAM_MASTER=team0
> EOF
[root@robin ~]# 
[root@robin ~]# 
[root@robin ~]# cat <<-EOF > /etc/sysconfig/network-scripts/ifcfg-team0
> DEVICE=team0
> ONBOOT=no
> BOOTPROTO=none
> IPADDR=192.168.23.11
> NETMASK=255.255.255.0
> TEAM_CONFIG='{"runner": {"name": "activebackup"}, "link_watch": {"name": "ethtool"}}'
> EOF
[root@robin ~]# 
[root@robin ~]# ifup team0

[root@robin ~]# 
[root@robin ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp7s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master team0 state UP qlen 1000
    link/ether 00:90:fa:8a:5c:7a brd ff:ff:ff:ff:ff:ff
    inet6 fe80::290:faff:fe8a:5c7a/64 scope link 
       valid_lft forever preferred_lft forever
3: enp5s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether e4:11:5b:dd:d6:06 brd ff:ff:ff:ff:ff:ff
    inet 10.19.15.27/24 brd 10.19.15.255 scope global dynamic enp5s0f0
       valid_lft 84345sec preferred_lft 84345sec
    inet6 2620:52:0:130b:e611:5bff:fedd:d606/64 scope global noprefixroute dynamic 
       valid_lft 2591822sec preferred_lft 604622sec
    inet6 fe80::e611:5bff:fedd:d606/64 scope link 
       valid_lft forever preferred_lft forever
4: enp7s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master team0 state UP qlen 1000
    link/ether 00:90:fa:8a:5c:7a brd ff:ff:ff:ff:ff:ff
    inet6 fe80::290:faff:fe8a:5c82/64 scope link 
       valid_lft forever preferred_lft forever
5: enp5s0f1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN qlen 1000
    link/ether e4:11:5b:dd:d6:07 brd ff:ff:ff:ff:ff:ff
6: team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 00:90:fa:8a:5c:7a brd ff:ff:ff:ff:ff:ff
    inet 192.168.23.11/24 brd 192.168.23.255 scope global team0
       valid_lft forever preferred_lft forever
    inet6 2001::290:faff:fe8a:5c7a/64 scope global mngtmpaddr dynamic 
       valid_lft 2591999sec preferred_lft 604799sec
    inet6 fe80::290:faff:fe8a:5c7a/64 scope link 
       valid_lft forever preferred_lft forever
Comment 29 Amit Supugade 2016-08-22 19:11:34 UTC 
This bug is causing many other team test failures. Increasing Priority and Severity.
Comment 30 Miroslav Grepl 2016-08-23 07:28:18 UTC 
Ok we have tested fix.

(typetransition unconfined_t var_run_t dir "teamd" NetworkManager_var_run_t)
(allow NetworkManager_t NetworkManager_t ( netlink_generic_socket ( create )))
Comment 36 errata-xmlrpc 2016-11-04 02:36:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html