Bug 1397537

Summary: OSPd packaging for OVS-DPDK policies with SELINUX
Product: Red Hat OpenStack Reporter: Maxim Babushkin <mbabushk>
Component: openstack-selinuxAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Maxim Babushkin <mbabushk>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 10.0 (Newton)CC: amuller, apevec, atelang, edannon, fbaudin, fleitner, jhsiao, jschluet, lhh, lhinds, lvrabec, mbabushk, mgrepl, nyechiel, sclewis, smazziot, srevivo, twilson, yrachman, zshi
Target Milestone: rcKeywords: Rebase, Triaged
Target Release: 10.0 (Newton)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-selinux-0.7.13-1.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-14 16:34:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1325680    

Comment 11 Maxim Babushkin 2016-11-24 07:59:56 UTC 
Lukas,

Everything working as expected.
No additional selinux errors.

Thanks for the help.
Maxim.
Comment 16 Maxim Babushkin 2016-11-28 15:20:29 UTC 
The environment with the policy was tested with the following steps:

Overcloud has been deployed with two OVS DPDK and one OVS regular (public) network.
Each network resides on a separate vlan.
Private1 network (routable) was created for the first dpdk interface.
Private2 network (routable) was created for the second dpdk interface.
Public network was created as an external network for the regular ovs interface.

Test1 instance has been booted up with Private1 network attached.
Test2 instance has been booted up with Private2 network attached.

SSH access tested to the test1 instance.
SSH access tested between test1 and test2 instances.
Connectivity to outside (8.8.8.8) has been tested from both of the instances.

Floating ip has been added to the test1 instance and ssh connectivity tested to the instance.

audit.log has been verified for no avc denied errors.
Comment 17 Scott Lewis 2016-11-28 17:12:32 UTC 
(In reply to Maxim Babushkin from comment #16)
> The environment with the policy was tested with the following steps:
> 
> Overcloud has been deployed with two OVS DPDK and one OVS regular (public)
> network.
> Each network resides on a separate vlan.
> Private1 network (routable) was created for the first dpdk interface.
> Private2 network (routable) was created for the second dpdk interface.
> Public network was created as an external network for the regular ovs
> interface.
> 
> Test1 instance has been booted up with Private1 network attached.
> Test2 instance has been booted up with Private2 network attached.
> 
> SSH access tested to the test1 instance.
> SSH access tested between test1 and test2 instances.
> Connectivity to outside (8.8.8.8) has been tested from both of the instances.
> 
> Floating ip has been added to the test1 instance and ssh connectivity tested
> to the instance.
> 
> audit.log has been verified for no avc denied errors.

Has this been incorporated and tested within the latest puddle? I've noticed that you moved this directly from ASSIGNED -> VERIFIED without the intervening steps, which are used to add patches to puddles and advisories.
Comment 18 Maxim Babushkin 2016-11-28 17:51:10 UTC 
I have verified the solution once again today with the latest puddle.

Of course if needed, the status should be changed.
Comment 20 Jon Schlueter 2016-11-28 18:08:43 UTC 
To stay in post please update external trackers for patches/launch pad bug etc that should be tracked for this to transition to modify d with Fixed in version specified.  If all needed changes are in brew built packages. Pleas update fixed in version and move to modified.
Comment 23 Lukas Vrabec 2016-11-29 12:36:03 UTC 
Here is pull request:

https://github.com/lukehinds/openstack-selinux/pull/1
Comment 25 Alan Pevec 2016-11-29 13:01:13 UTC 
(In reply to Lukas Vrabec from comment #23)
> Here is pull request:
> 
> https://github.com/lukehinds/openstack-selinux/pull/1

As commented there, please move it to redhat-openstack/openstack-selinux
Comment 28 Maxim Babushkin 2016-11-30 12:43:04 UTC 
The bug has been verified with the latest puddle with openstack-selinux-0.7.13-1.el7ost package installed.
Comment 30 Maxim Babushkin 2016-12-06 08:57:18 UTC 
*** Bug 1380114 has been marked as a duplicate of this bug. ***
Comment 32 errata-xmlrpc 2016-12-14 16:34:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2948.html