Bug 996776
| Summary: | The openstack-selinux policies need to be updated for the quantum -> neutron rename | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Community] RDO | Reporter: | Terry Wilson <twilson> | ||||||||
| Component: | openstack-selinux | Assignee: | Lon Hohberger <lhh> | ||||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Jay Turner <jkt> | ||||||||
| Severity: | urgent | Docs Contact: | |||||||||
| Priority: | urgent | ||||||||||
| Version: | unspecified | CC: | bsettle, dwalsh, mangelajo, mgrepl, mtruneck, oblaut, parsonsa, sandro, srevivo | ||||||||
| Target Milestone: | Milestone3 | Keywords: | VerifiedUpstream | ||||||||
| Target Release: | Havana | ||||||||||
| Hardware: | Unspecified | ||||||||||
| OS: | Unspecified | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | |||||||||||
| : | 1006370 (view as bug list) | Environment: | |||||||||
| Last Closed: | 2013-12-03 21:33:34 UTC | Type: | Bug | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | |||||||||||
| Bug Blocks: | 1006370, 1013636 | ||||||||||
| Attachments: |
|
||||||||||
I should also point out that neutron ships with the quantum-named binaries as well for compatibility reasons for now. So the rules should probably cover both. *** Bug 999447 has been marked as a duplicate of this bug. *** I can confirm this bug in a test environment here. (rdo-havana on CentOS 6.4) The VMs won't receive dhcp response, It can be identified this way also; # grep DHCPDISCOVER /var/log/messages Sep 5 01:28:38 opentron dnsmasq-dhcp[3284]: DHCPDISCOVER(tapa5331882-85) fa:16:3e:96:4d:a3 no address available # tail -f /var/log/messages | grep dnsmasq & # killall -HUP dnsmasq Sep 5 01:32:05 opentron dnsmasq[2148]: read /etc/hosts - 2 addresses Sep 5 01:32:05 opentron dnsmasq[3284]: cleared cache Sep 5 01:32:05 opentron dnsmasq[3284]: cannot read /var/lib/neutron/dhcp/521717de-5dbe-4756-8ef2-fe17321eeae8/host: Permission denied Sep 5 01:32:05 opentron dnsmasq-dhcp[3284]: read /var/lib/neutron/dhcp/521717de-5dbe-4756-8ef2-fe17321eeae8/host Sep 5 01:32:05 opentron dnsmasq[3284]: cannot read /var/lib/neutron/dhcp/521717de-5dbe-4756-8ef2-fe17321eeae8/opts: Permission denied Sep 5 01:32:05 opentron dnsmasq-dhcp[3284]: read /var/lib/neutron/dhcp/521717de-5dbe-4756-8ef2-fe17321eeae8/opts Sep 5 01:32:05 opentron dnsmasq[2148]: read /var/lib/libvirt/dnsmasq/default.addnhosts - 0 addresses Sep 5 01:32:05 opentron dnsmasq-dhcp[2148]: read /var/lib/libvirt/dnsmasq/default.hostsfile as a test I ran dnsmasq as root to check: # ip net exec qdhcp-521717de-5dbe-4756-8ef2-fe17321eeae8 dnsmasq --no-hosts --no-resolv --strict-order --bind-interfaces --interface=tapa5331882-85 --except-interface=lo --pid-file=/var/lib/neutron/dhcp/521717de-5dbe-4756-8ef2-fe17321eeae8/pid --dhcp-hostsfile=/var/lib/neutron/dhcp/521717de-5dbe-4756-8ef2-fe17321eeae8/host --dhcp-optsfile=/var/lib/neutron/dhcp/521717de-5dbe-4756-8ef2-fe17321eeae8/opts --dhcp-script=/usr/bin/neutron-dhcp-agent-dnsmasq-lease-update --leasefile-ro --dhcp-range=set:tag0,10.0.0.0,static,120s --conf-file= --domain=openstacklocal and it works Created attachment 796015 [details]
Initial patch
This patch was rejected, but is included for reference.
Created attachment 796016 [details]
Upstream patch from Dan Walsh
*** Bug 1008142 has been marked as a duplicate of this bug. *** Unofficial test packages: http://people.redhat.com/lhh/selinux-policy/ This is a backport of Dan's patch: https://bugzilla.redhat.com/attachment.cgi?id=796034 Patch looks good to me after a (very) quick test. Obviously it's hard to test each and every aspect of Neutron but at least the access denied message as described in comment #3 have vanished, dnsmasq was able to read those files just fine - and I never noticed any other SELinux-related issues anyway, myself. Miroslav also did a build for this; I'll update the repository with his patch/build. I updated the packages as well. I tested the packages by setting up lhh's repo. I saw no avc denials. (In reply to Terry Wilson from comment #12) > I tested the packages by setting up lhh's repo. I saw no avc denials. FWIW: the issue in this bug never created any AVC denials but just stopped things from working. Anyway, also tested the updated packages and all looks good. Yes, we need to be sure there is no regression. Ok, so we need to see if RDO/Grizzly still works |
Created attachment 786326 [details] output of ausearch -i -m avc after doing packstack --allinone and launching a VM Description of problem: Various permissions errors occur when launching neutron services/using neutron. I'm assuming that the rename from quantum to neutron broke all of the related selinux policies. All binaries, configs/dirs, usernames etc. have had s/quantum/neutron/ done. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. packstack --allinone 2. . keystonerc_demo 3. nova --boot --image cirros --flavor 1 --nic netid=${id of 'private' network} test 4. ausearch -i -m avc Actual results: Instance gets a DHCP address/No avc errors Expected results: Instance does not get a DHCP address/Lots of avc errors Additional info: