Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1676954

Summary: After minor update (rhel 7.5 to 7.6) instance actions fail and neutron networking is broken
Product: Red Hat OpenStack Reporter: Cristian Muresanu <cmuresan>
Component: openstack-selinuxAssignee: Julie Pichon <jpichon>
Status: CLOSED ERRATA QA Contact: nlevinki <nlevinki>
Severity: medium Docs Contact:
Priority: medium    
Version: 10.0 (Newton)CC: amuller, asoni, bcafarel, chrisw, jpichon, lhh, mgrepl, njohnston, skaplons, zcaplovi
Target Milestone: ---Keywords: Rebase, Triaged, ZStream
Target Release: 10.0 (Newton)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-selinux-0.8.18-1.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-30 16:59:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Cristian Muresanu 2019-02-13 16:38:23 UTC 
Description of problem:
After minor update (rhel 7.5 to 7.6) instance actions fail and neutron networking is broken

New instance spawn fails
Start instance fails
Live-migration fails

Version-Release number of selected component (if applicable):


How reproducible:
minor update (rhel 7.5 to 7.6)

Steps to Reproduce:
1.
2.
3.

Actual results:
instance actions fail and neutron networking is broken

Expected results:
Not fail

Additional info:
Comment 1 Cristian Muresanu 2019-02-13 16:46:24 UTC 
Setting setenforce 0 on controllers and then restart neutron services on controllers and restart rabbit, then setenforce 0 on the computes and restart neutron and openstack services things get a little better.  e.g. We no longer see the neutron errors in /var/log/secure.  BUT instance actions like nova start continue to fail
Comment 11 Julie Pichon 2019-02-22 16:52:42 UTC 
This looks similar to the nova rootwrap issues that should have been resolved in openstack-selinux-0.8.15-1.el7ost / selinux-policy-3.13.1-229.el7_6.6 (bug 1645270 / bug 1638547) and are both installed on the system. The current AVC denials only relate to neutron_t so it's possible the same generic fix for pam authentication may work, though I am not sure specifically about pam_lsass. I will propose a patch.
Comment 12 Julie Pichon 2019-02-22 17:14:09 UTC 
https://github.com/redhat-openstack/openstack-selinux/pull/27
Comment 14 Lon Hohberger 2019-03-11 13:31:23 UTC 
Merged upstream. Simple workaround for pbis users.
Comment 15 Julie Pichon 2019-03-29 11:44:06 UTC 
The workaround mentioned above as well as the optional pbis boolean added in for bug 1658815 are available in the latest build. Based on the discussions in the other bug, this should help with the AVCs mentioned here as well.
Comment 21 errata-xmlrpc 2019-04-30 16:59:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0922