Bug 1379429

Summary: Tempest tests fail on RHOSP 10
Product: Red Hat OpenStack Reporter: Arie Bregman <abregman>
Component: openstack-selinuxAssignee: Ryan Hallisey <rhallise>
Status: CLOSED NOTABUG QA Contact: Udi Shkalim <ushkalim>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 10.0 (Newton)CC: amuller, jschluet, lhh, mburns, mgrepl, srevivo
Target Milestone: gaKeywords: AutomationBlocker, Triaged
Target Release: 10.0 (Newton)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-14 14:21:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Arie Bregman 2016-09-26 17:32:04 UTC
Description of problem:

Some of the tempest tests we run on RHOSP 10 deployment fail. There are several denials in audit.log while running the tests.


Version-Release number of selected component (if applicable): 10.0


How reproducible: 100%


Steps to Reproduce:
1. Deploy RHOSP 10 (HA, 3 controllers, 2 compute)
2. Run Tempest
3.

Actual results:

Tempest fails to run successfully


Expected results: Tests passed 100%


Additional info: providing audit.log

Comment 3 Ryan Hallisey 2016-09-27 16:56:09 UTC
There were no AVCs I could identify in there that were causing a breakage.  Test again in permissive and post the results.

Comment 10 Mike Burns 2016-10-14 11:33:15 UTC
Ryan,  can you look at this?

Comment 11 Ryan Hallisey 2016-10-14 14:03:10 UTC
I don't think the failures are because of selinux.  The only AVC that seems close is the below AVC, but it doesn't look harmful.

type=AVC msg=audit(1475048581.557:3952): avc:  denied  { read } for  pid=22078 comm="logrotate" name="ceph" dev="vda2" ino=9658987 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:obj\
ect_r:user_tmp_t:s0 tclass=dir

Comment 12 Arie Bregman 2016-10-14 14:21:59 UTC
Yes, I don't think it's selinux either.

We have two type of failures:

1. DHCP IPv6 API: https://bugzilla.redhat.com/show_bug.cgi?id=1384631

2. And all the network scenario which we suspect related to this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1382389

I had several builds with SElinux disabled, and it didn't change the number of failures. Closing the bug.