Bug 1707840
Summary: | [OSP15] ML2 OVS Unable to boot guest instances with vhostuser due to selinux policy | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Vadim Khitrin <vkhitrin> |
Component: | openstack-selinux | Assignee: | Lon Hohberger <lhh> |
Status: | CLOSED ERRATA | QA Contact: | nlevinki <nlevinki> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 15.0 (Stein) | CC: | aconole, cfontain, fbaudin, lhh, lvrabec, skramaja, supadhya, tredaelli, zcaplovi |
Target Milestone: | beta | Keywords: | Triaged |
Target Release: | 15.0 (Stein) | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | openstack-selinux-0.8.19-0.20190515180355.e1c7511.el8ost | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-09-21 11:21:58 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Vadim Khitrin
2019-05-08 14:16:02 UTC
I executed below commands in the compute node with selinux mode a Enforcing, I was able to create the VMs successfully. ausearch -c 'vhost-events' --raw | audit2allow -M my-vhostevents semodule -X 300 -i my-vhostevents.pp curiously: #!!!! This avc has a dontaudit rule in the current policy allow openvswitch_t spc_t:unix_stream_socket { read write }; OVS doesn't require container-selinux, but spc_t is defined there. However, openstack-selinux does require container-selinux. Yes, openvswitch-selinux-extra-policy-1.0-10 requires container-selinux We are eliminating the dependency to containers-selinux, because it breaks some layered products. No problem, since it's specific to openstack container configuration, I placed it here for now: https://github.com/redhat-openstack/openstack-selinux/pull/32 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2019:2811 |