Bug 1642102

Summary: Selinux is preventing OpenStack from launching multiqueue-enabled instances
Product: Red Hat OpenStack Reporter: nalmond
Component: openstack-selinuxAssignee: Zoli Caplovic <zcaplovi>
Status: CLOSED ERRATA QA Contact: Jon Schlueter <jschluet>
Severity: high Docs Contact:
Priority: high    
Version: 13.0 (Queens)CC: dhill, dvd, lhh, mas-hatada, mgrepl, nalmond, petar.jager, pveiga, rhel-osp-bz
Target Milestone: z5Keywords: Triaged, ZStream
Target Release: 13.0 (Queens)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-selinux-0.8.16-1.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1658543 1658545 1658546 1658548 1658550 (view as bug list) Environment:
Last Closed: 2019-03-14 13:34:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1581780, 1658543, 1658545, 1658546, 1658548, 1658550    

Description nalmond 2018-10-23 15:25:53 UTC 
Description of problem:
When launching an instance with multiqueue enabled as an image property, the instance fails to start. An avc denial can be seen in the audit log:

type=AVC msg=audit(1540216030.840:31215): avc:  denied  { attach_queue } for  pid=34373 comm=43505520312F4B564D scontext=system_u:system_r:svirt_t:s0:c457,c875 tcontext=system_u:system_r:spc_t:s0 tclass=tun_socket

Disabling selinux or running the below commands allows the instance to start:

#audit2allow -a -M attach_queue
#semodule -i attach_queue.pp

Version-Release number of selected component (if applicable):
openstack-selinux-0.8.14-12.el7ost.noarch                   Wed Jul 11 03:27:18 2018
selinux-policy-3.13.1-192.el7_5.4.noarch                    Wed Jul 11 02:42:42 2018
selinux-policy-targeted-3.13.1-192.el7_5.4.noarch           Wed Jul 11 02:45:15 2018


How reproducible:
Consistently in this RHEL 7.5 RHOSP 13 environment

Steps to Reproduce:
1. Deploy RHOSP 13 with dpdk https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html-single/network_functions_virtualization_planning_and_configuration_guide/
2. Attempt to launch an instance with multiqueue
3.

Actual results:
Instance fails to start with avc denial

Expected results:
Instance starts without manual selinux modification

Additional info:
This looks similar to an older bug https://bugzilla.redhat.com/show_bug.cgi?id=1095636
Comment 2 Zoli Caplovic 2018-11-14 13:49:53 UTC 
Hello Nicholas, 

sorry for late response. I would like to ask whether there is any reason why you are trying it with RHEL 7.5? The issue might be fixed in RHEL 7.6 with the current container-selinux policy. 

Thank you 

Zoli Caplovic
Comment 6 Jon Schlueter 2019-01-02 17:55:23 UTC 
missed cutoff will be in next batch
Comment 7 Priscila 2019-01-14 18:50:15 UTC 
(In reply to Jon Schlueter from comment #6)
> missed cutoff will be in next batch

Thanks a lot!
Comment 8 smooney 2019-01-29 21:03:49 UTC 
*** Bug 1608620 has been marked as a duplicate of this bug. ***
Comment 24 errata-xmlrpc 2019-03-14 13:34:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:0564