Bug 1547197
| Summary: | selinux prevents dibbler-client from starting when using dibbler in neutron | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | David Hill <dhill> |
| Component: | openstack-selinux | Assignee: | Lon Hohberger <lhh> |
| Status: | CLOSED ERRATA | QA Contact: | Udi Shkalim <ushkalim> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 10.0 (Newton) | CC: | amuller, dhill, mburns, mgrepl, srevivo |
| Target Milestone: | z8 | Keywords: | Triaged, ZStream |
| Target Release: | 10.0 (Newton) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | openstack-selinux-0.8.14-1.el7ost | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-05-17 15:49:28 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Do we have any testing of dibbler client that would catch this in the future? David -- if you have a full audit.log available, that may help. We might be able to solve without it, but if you have it available can you attach it? Here are the logs:
type=AVC msg=audit(1519145039.350:11204): avc: denied { setpgid } for pid=855913 comm="dibbler-client" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=process
type=AVC msg=audit(1519145099.348:11261): avc: denied { setpgid } for pid=859738 comm="dibbler-client" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=process
type=AVC msg=audit(1519145159.356:11362): avc: denied { setpgid } for pid=864221 comm="dibbler-client" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=process
type=AVC msg=audit(1519145219.357:11671): avc: denied { setpgid } for pid=868604 comm="dibbler-client" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=process
There is no Neutron IPv6 prefix delegation testing at all, upstream or downstream. It's challenging because you need an upstream router to serve prefixes, however it should be possible to simulate one using something similar to a container using dibbler-server (using Neutron's "fullstack" testing infrastructure") or a Tempest test that would spawn a VM with a custom image that has a dhcp v6 server installed, but that requires special job configuration. We've never prioritized automating testing IPv6 with PD because of its relative niche factor and the complexity of its testing. 0.8.14-1 has /usr/share/openstack-selinux/0.8.14/tests/bz1547197; and all regression tests based on AVCs passed. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:1596 |
Description of problem: selinux prevents dibbler-client from starting when using dibbler in neutron type=AVC msg=audit(1519144859.347:11041): avc: denied { setpgid } for pid=844370 comm="dibbler-client" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=process type=AVC msg=audit(1519144919.345:11090): avc: denied { setpgid } for pid=848028 comm="dibbler-client" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=process type=AVC msg=audit(1519144979.346:11151): avc: denied { setpgid } for pid=852082 comm="dibbler-client" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=process type=AVC msg=audit(1519145039.350:11204): avc: denied { setpgid } for pid=855913 comm="dibbler-client" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=process Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: