Bug 1581729

Summary: [OSP13] Neutron denied running dhcp_release6
Product: Red Hat OpenStack Reporter: Lon Hohberger <lhh>
Component: openstack-selinuxAssignee: Lon Hohberger <lhh>
Status: CLOSED ERRATA QA Contact: Udi Shkalim <ushkalim>
Severity: urgent Docs Contact:
Priority: high    
Version: 13.0 (Queens)CC: bcafarel, bhaley, jjoyce, jschluet, mgrepl, srevivo
Target Milestone: rcKeywords: AutomationBlocker, Triaged
Target Release: 13.0 (Queens)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-selinux-0.8.14-11.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-27 13:57:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1547669    

Description Lon Hohberger 2018-05-23 13:49:02 UTC 
Description of problem: CI Testing showed this new AVC:

type=AVC msg=audit(1527075675.414:18010): avc:  denied  { name_bind } for  pid=4521 comm="dhcp_release6" src=546 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:dhcpc_port_t:s0 tclass=udp_socket


Version-Release number of selected component (if applicable): 0.8.14-10.el7ost


How reproducible: Unknown
Comment 1 Brian Haley 2018-05-23 15:53:53 UTC 
dhcp_release6 is something neutron could call to try and clean-up stale leases, so it should be allowed.  Since it's not something that would happen often, and it's IPv6 which doesn't have as small a subnet size as IPv4, I wouldn't necessarily consider it a blocker for GA.  And it is probably just causing a runtime error in the dhcp-agent, which should be caught correctly.
Comment 2 Bernard Cafarelli 2018-05-23 16:21:41 UTC 
May be related to #1547669 (now dhcp_release6 binary is found and can be called)
Comment 3 Brian Haley 2018-05-23 16:29:30 UTC 
Yes, Bernard is correct, dhcp_release6 was added in dnsmasq version 2.76, http://www.thekelleys.org.uk/dnsmasq/CHANGELOG - so that script is new to any OSP release that gets it.
Comment 4 Lon Hohberger 2018-05-23 18:35:54 UTC 
Linky: bug 1547669
Comment 10 Lon Hohberger 2018-06-21 13:01:11 UTC 
AVC regression tests for this passed; the AVC does not appear with current openstack-selinux-0.8.14-11.el7ost and later
Comment 12 errata-xmlrpc 2018-06-27 13:57:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086