Bug 1420134
Summary: | Selinux is preventing neutron-openvswitch-agent from starting properly | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | David Hill <dhill> |
Component: | openstack-selinux | Assignee: | Lon Hohberger <lhh> |
Status: | CLOSED ERRATA | QA Contact: | David Hill <dhill> |
Severity: | urgent | Docs Contact: | |
Priority: | urgent | ||
Version: | 10.0 (Newton) | CC: | dhill, ihrachys, lhh, mburns, mgrepl, nlevinki, oblaut, srevivo |
Target Milestone: | z3 | Keywords: | Triaged, ZStream |
Target Release: | 10.0 (Newton) | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | openstack-selinux-0.8.5-1.el7ost | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | 1419418 | Environment: | |
Last Closed: | 2017-06-28 15:27:21 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1419418 | ||
Bug Blocks: |
Description
David Hill
2017-02-07 23:33:42 UTC
Please provide the full audit.log while running in permissive mode. That will help determine the best path forward. audit2allow doesn't always provide the best option. The probleme here is that openstack undercloud install switches it back to enforcing along the way. In the RHOSP 10.0 I only had that line that I can simply copy/paste it here (but it was repeaded 100000 times). type=AVC msg=audit(1486685192.236:18260264): avc: denied { search } for pid=7040 comm="ovs-vsctl" name="7032" dev="proc" ino=499867 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1486685192.236:18260264): avc: denied { read } for pid=7040 comm="ovs-vsctl" name="cmdline" dev="proc" ino=497396 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=file permissive=1 type=AVC msg=audit(1486685192.236:18260264): avc: denied { open } for pid=7040 comm="ovs-vsctl" path="/proc/7032/cmdline" dev="proc" ino=497396 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=file permissive=1 type=AVC msg=audit(1486685192.236:18260265): avc: denied { getattr } for pid=7040 comm="ovs-vsctl" path="/proc/7032/cmdline" dev="proc" ino=497396 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=file permissive=1 type=AVC msg=audit(1486685192.341:18260268): avc: denied { create } for pid=29183 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1 type=AVC msg=audit(1486685192.341:18260269): avc: denied { setopt } for pid=29183 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1 type=AVC msg=audit(1486685192.341:18260270): avc: denied { getopt } for pid=29183 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1 type=AVC msg=audit(1486685192.341:18260271): avc: denied { connect } for pid=29183 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1 type=AVC msg=audit(1486685192.341:18260272): avc: denied { getattr } for pid=29183 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1 type=AVC msg=audit(1486685208.812:18260753): avc: denied { write } for pid=7605 comm="iptables-save" path="/etc/sysconfig/iptables" dev="vda1" ino=7458118 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=AVC msg=audit(1486685222.763:18261281): avc: denied { read } for pid=7989 comm="ip" dev="nsfs" ino=4026531957 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1486685222.763:18261281): avc: denied { open } for pid=7989 comm="ip" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1486685222.914:18261285): avc: denied { create } for pid=29183 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1 type=AVC msg=audit(1486685222.915:18261286): avc: denied { setopt } for pid=29183 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1 type=AVC msg=audit(1486685222.915:18261287): avc: denied { getopt } for pid=29183 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1 type=AVC msg=audit(1486685222.915:18261288): avc: denied { connect } for pid=29183 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1 type=AVC msg=audit(1486685222.915:18261289): avc: denied { getattr } for pid=29183 comm="ovs-vswitchd" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_generic_socket permissive=1 type=AVC msg=audit(1486685222.983:18261295): avc: denied { read } for pid=8003 comm="ip" dev="nsfs" ino=4026531957 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1486685222.983:18261295): avc: denied { open } for pid=8003 comm="ip" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1486685224.408:18261328): avc: denied { read } for pid=8059 comm="ip" dev="nsfs" ino=4026531957 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1486685224.408:18261328): avc: denied { open } for pid=8059 comm="ip" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1486685225.005:18261366): avc: denied { read } for pid=8075 comm="ip" dev="nsfs" ino=4026531957 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1486685225.005:18261366): avc: denied { open } for pid=8075 comm="ip" path="net:[4026531957]" dev="nsfs" ino=4026531957 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1 Quick workaround for me is to put selinux in permissive in RedHat.yaml like Centos.yaml: sed -i 's/enforcing/permissive/' /usr/share/instack-undercloud/puppet-stack-config/os-apply-config/etc/puppet/hieradata/RedHat.yaml This is why CI is not hitting this issue if anyone asks and there're probably selinux audit logs for that. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1587 |