1006370 – The openstack-selinux policies need to be updated for the quantum -> neutron rename

Bug 1006370 - The openstack-selinux policies need to be updated for the quantum -> neutron rename

Summary: The openstack-selinux policies need to be updated for the quantum -> neutron ...

Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.5
Hardware:	Unspecified
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	beta
Target Release:	6.5
Assignee:	Miroslav Grepl
QA Contact:	Michal Trunecka
Docs Contact:
URL:
Whiteboard:
Keywords:
Depends On:	996776
Blocks:	1013636
TreeView+	depends on / blocked

Reported:	2013-09-10 14:03 UTC by Lon Hohberger
Modified:	2014-09-30 23:35 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:
Doc Text:	(edit)
Clone Of:	996776
Clones:	1013636 (view as bug list)
Environment:	(edit)
Last Closed:	2013-11-21 10:51:04 UTC

Attachments	(Terms of Use)
Patch from upstream which resolves the problem (18.92 KB, patch) 2013-09-10 14:04 UTC, Lon Hohberger	no flags	Details \| Diff
Untested backport (16.10 KB, patch) 2013-09-10 14:37 UTC, Lon Hohberger	no flags	Details \| Diff
Tested backport (17.75 KB, patch) 2013-09-18 19:45 UTC, Lon Hohberger	no flags	Details \| Diff
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:1598	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2013-11-20 21:39:24 UTC

Description Lon Hohberger 2013-09-10 14:03:02 UTC

+++ This bug was initially created as a clone of Bug #996776 +++

Description of problem:
Various permissions errors occur when launching neutron services/using neutron. I'm assuming that the rename from quantum to neutron broke all of the related selinux policies. All binaries, configs/dirs, usernames etc. have had s/quantum/neutron/ done.


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. packstack --allinone
2. . keystonerc_demo
3. nova --boot --image cirros --flavor 1 --nic netid=${id of 'private' network} test
4. ausearch -i -m avc

Actual results:
Instance gets a DHCP address/No avc errors

Expected results:
Instance does not get a DHCP address/Lots of avc errors

Additional info:

--- Additional comment from Terry Wilson on 2013-08-19 11:04:36 EDT ---

I should also point out that neutron ships with the quantum-named binaries as well for compatibility reasons for now. So the rules should probably cover both.

--- Additional comment from lpeer on 2013-08-21 07:50:05 EDT ---



--- Additional comment from Miguel Angel Ajo on 2013-09-04 18:12:05 EDT ---

I can confirm this bug in a test environment here. (rdo-havana on CentOS 6.4)

The VMs won't receive dhcp response, 

It can be identified this way also;

# grep DHCPDISCOVER /var/log/messages

Sep  5 01:28:38 opentron dnsmasq-dhcp[3284]: DHCPDISCOVER(tapa5331882-85) fa:16:3e:96:4d:a3 no address available

# tail -f /var/log/messages | grep dnsmasq &
# killall -HUP dnsmasq


 Sep  5 01:32:05 opentron dnsmasq[2148]: read /etc/hosts - 2 addresses
Sep  5 01:32:05 opentron dnsmasq[3284]: cleared cache
Sep  5 01:32:05 opentron dnsmasq[3284]: cannot read /var/lib/neutron/dhcp/521717de-5dbe-4756-8ef2-fe17321eeae8/host: Permission denied
Sep  5 01:32:05 opentron dnsmasq-dhcp[3284]: read /var/lib/neutron/dhcp/521717de-5dbe-4756-8ef2-fe17321eeae8/host
Sep  5 01:32:05 opentron dnsmasq[3284]: cannot read /var/lib/neutron/dhcp/521717de-5dbe-4756-8ef2-fe17321eeae8/opts: Permission denied
Sep  5 01:32:05 opentron dnsmasq-dhcp[3284]: read /var/lib/neutron/dhcp/521717de-5dbe-4756-8ef2-fe17321eeae8/opts
Sep  5 01:32:05 opentron dnsmasq[2148]: read /var/lib/libvirt/dnsmasq/default.addnhosts - 0 addresses
Sep  5 01:32:05 opentron dnsmasq-dhcp[2148]: read /var/lib/libvirt/dnsmasq/default.hostsfile


as a test I ran dnsmasq as root to check:
# ip net exec qdhcp-521717de-5dbe-4756-8ef2-fe17321eeae8   dnsmasq --no-hosts --no-resolv --strict-order --bind-interfaces --interface=tapa5331882-85 --except-interface=lo --pid-file=/var/lib/neutron/dhcp/521717de-5dbe-4756-8ef2-fe17321eeae8/pid --dhcp-hostsfile=/var/lib/neutron/dhcp/521717de-5dbe-4756-8ef2-fe17321eeae8/host --dhcp-optsfile=/var/lib/neutron/dhcp/521717de-5dbe-4756-8ef2-fe17321eeae8/opts --dhcp-script=/usr/bin/neutron-dhcp-agent-dnsmasq-lease-update --leasefile-ro --dhcp-range=set:tag0,10.0.0.0,static,120s --conf-file= --domain=openstacklocal

and it works

--- Additional comment from Lon Hohberger on 2013-09-10 09:55:01 EDT ---

This patch was rejected, but is included for reference.

--- Additional comment from Lon Hohberger on 2013-09-10 09:58:10 EDT ---

Comment 1 Lon Hohberger 2013-09-10 14:04:29 UTC

Created attachment 796020 [details]
Patch from upstream which resolves the problem

Comment 2 Lon Hohberger 2013-09-10 14:37:40 UTC

Created attachment 796034 [details]
Untested backport

Comment 4 Lon Hohberger 2013-09-10 15:21:46 UTC

Side note: we do want contexts for both Quantum and Neutron at the same time - Dan's original patch and my backport attempt to do this.

Comment 5 Lon Hohberger 2013-09-10 19:06:01 UTC

We also had this in the existing openstack-selinux policy:

https://github.com/lhh/openstack-selinux/blob/master/openstack-selinux-quantum.te

Perhaps these small fixes could be merged.

Comment 6 Lon Hohberger 2013-09-18 19:45:13 UTC

Created attachment 799561 [details]
Tested backport

Comment 7 Lon Hohberger 2013-09-18 19:47:52 UTC

Test repository:

http://people.redhat.com/lhh/selinux-policy/

Comment 8 Lon Hohberger 2013-09-18 20:41:13 UTC

Miroslav also did a build for this; I'll update the repository with his patch/build.

Comment 9 Miroslav Grepl 2013-09-25 19:31:29 UTC

Has been already added.

Comment 13 Milos Malik 2013-10-24 10:03:30 UTC

Following 3 types were not renamed. Is it expected?

# rpm -qa selinux-policy\*
selinux-policy-doc-3.7.19-228.el6.noarch
selinux-policy-mls-3.7.19-228.el6.noarch
selinux-policy-minimum-3.7.19-228.el6.noarch
selinux-policy-3.7.19-228.el6.noarch
selinux-policy-targeted-3.7.19-228.el6.noarch
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
# for I in -t -a -r -u -b -c --portcon ; do seinfo $I | grep -i quantum ; done
   quantum_port_t
   quantum_server_packet_t
   quantum_client_packet_t
	portcon tcp 9696 system_u:object_r:quantum_port_t:s0
#

Comment 14 Daniel Walsh 2013-10-29 15:27:53 UTC

We probably should rename them and add appropriate alias.

Comment 15 Miroslav Grepl 2013-10-29 15:32:48 UTC

Yes but I don't see as a big problem in RHEL6.5 now.

Comment 16 Daniel Walsh 2013-10-29 15:51:46 UTC

    3d3549c0bdd84af83fe6d1f4f3c9379e65a8f73a
    5648a674bcbedaaf89317cde3a2f38a2b206543f

    Fix this in git.

    Miroslav we should rename the module in F20 also.

Comment 17 Michal Trunecka 2013-10-30 15:25:10 UTC

I filed the last mentioned issue as a separate Bug 1024927.

Comment 19 errata-xmlrpc 2013-11-21 10:51:04 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html

Note You need to log in before you can comment on or make changes to this bug.