Bug 1850973

Summary: privsep-helper fails to spawn
Product: [Community] RDO Reporter: Julie Pichon <jpichon>
Component: openstack-selinuxAssignee: Julie Pichon <jpichon>
Status: CLOSED UPSTREAM QA Contact: Ofer Blaut <oblaut>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: trunkCC: lhh
Target Milestone: ---   
Target Release: trunk   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-25 15:59:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Julie Pichon 2020-06-25 10:01:07 UTC 
From https://github.com/redhat-openstack/openstack-selinux/pull/63:

The dac_override capability is required when spawning the privsep-helper. It's spawned by neutron-rootwrap which in itself is executed by sudo.

type=AVC msg=audit(1593076023.722:2752): avc: denied { dac_override } for pid=91081 comm="privsep-helper" capability=1 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=capability permissive=0

audit2allow in permissive mode gives the following
$ausearch -c privsep | audit2allow
#============= neutron_t ==============
allow neutron_t self:capability dac_override;


Related neutron log of the failure:

2020-06-25 11:13:51.639 12822 INFO oslo.privsep.daemon [-] Running privsep helper: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'privsep-helper', '--config-file', '/usr/share/neutron/neutron-dist.conf', '--config-file', '/etc/neutron/neutron.conf', '--config-file', '/etc/neutron/plugins/ml2/openvswitch_agent.ini', '--config-dir', '/etc/neutron/conf.d/neutron-openvswitch-agent', '--privsep_context', 'neutron.privileged.default', '--privsep_sock_path', '/tmp/tmppqo1gie4/privsep.sock']
2020-06-25 11:13:52.798 12822 CRITICAL oslo.privsep.daemon [-] privsep helper command exited non-zero (1)
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp [-] Agent main thread died of an exception: oslo_privsep.daemon.FailedToDropPrivileges: privsep helper command exited non-zero (1)
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp Traceback (most recent call last):
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp   File "/usr/lib/python3.6/site-packages/neutron/plugins/ml2/drivers/openvswitch/agent/openflow/native/ovs_oskenapp.py", line 40, in agent_main_wrapper
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp     ovs_agent.main(bridge_classes)
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp   File "/usr/lib/python3.6/site-packages/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py", line 2768, in main
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp     validate_tunnel_config(cfg.CONF.AGENT.tunnel_types, cfg.CONF.OVS.local_ip)
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp   File "/usr/lib/python3.6/site-packages/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py", line 2737, in validate_tunnel_config
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp     validate_local_ip(local_ip)
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp   File "/usr/lib/python3.6/site-packages/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py", line 2725, in validate_local_ip
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp     if not ip_lib.IPWrapper().get_device_by_ip(local_ip):
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp   File "/usr/lib/python3.6/site-packages/neutron/agent/linux/ip_lib.py", line 200, in get_device_by_ip
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp     devices = get_devices_with_ip(self.namespace, **kwargs)
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp   File "/usr/lib/python3.6/site-packages/neutron/agent/linux/ip_lib.py", line 1365, in get_devices_with_ip
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp     devices = privileged.get_link_devices(namespace, **link_args)
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp   File "/usr/lib/python3.6/site-packages/neutron/privileged/agent/linux/ip_lib.py", line 73, in sync_inner
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp     return input_func(*args, **kwargs)
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp   File "/usr/lib/python3.6/site-packages/oslo_privsep/priv_context.py", line 244, in _wrap
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp     self.start()
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp   File "/usr/lib/python3.6/site-packages/oslo_privsep/priv_context.py", line 255, in start
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp     channel = daemon.RootwrapClientChannel(context=self)
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp   File "/usr/lib/python3.6/site-packages/oslo_privsep/daemon.py", line 331, in __init__
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp     raise FailedToDropPrivileges(msg)
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp oslo_privsep.daemon.FailedToDropPrivileges: privsep helper command exited non-zero (1)


Additional information:

PR is already posted on github, creating a bug to have a reference to add a test.