1006921 – SELinux is preventing Quantum to connect to qpidd

Bug 1006921 - SELinux is preventing Quantum to connect to qpidd

Summary: SELinux is preventing Quantum to connect to qpidd

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	19
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-09-11 13:57 UTC by Jakub Libosvar
Modified:	2013-09-30 13:15 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2013-09-30 13:15:37 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jakub Libosvar 2013-09-11 13:57:16 UTC

Description of problem:
When selinux is enforcing, quantum cannot connect to qpidd port
type=SYSCALL msg=audit(1378907210.977:6935): arch=c000003e syscall=42 success=no exit=-115 a0=c a1=7fffd54c50d0 a2=10 a3=8e items=0 ppid=1 pid=10764 auid=4294967295 uid=164 gid=164 euid=164 suid=164 fsuid=164 egid=164 sgid=164 fsgid=164 ses=4294967295 tty=(none) comm="python" exe="/usr/bin/python2.7" subj=system_u:system_r:quantum_t:s0 key=(null)
type=AVC msg=audit(1378907210.977:6935): avc:  denied  { name_connect } for  pid=10764 comm="python" dest=5672 scontext=system_u:system_r:quantum_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket


Version-Release number of selected component (if applicable):
openstack-quantum-2013.1.3-1.fc19.noarch
selinux-policy-targeted-3.12.1-74.1.fc19.noarch


How reproducible:
Always

Steps to Reproduce:
1. Run packstack with quantum and enforcing selinux
2.
3.

Actual results:
Installation fails because of quantum doesn't start because it cannot connect to qpidd's port

Expected results:
Quantum connects to qpidd

Additional info:

Comment 1 Daniel Walsh 2013-09-11 14:13:22 UTC

What ports should quantum be allowed to connect to out of the box.

sepolicy network -d neutron_t
neutron_t: tcp name_connect
	111 (portmap_port_t)
	1186, 3306, 63132-63164 (mysqld_port_t)
	32768-61000 (ephemeral_port_t)
	35357 (keystone_port_t)
	53 (dns_port_t)
	5432 (postgresql_port_t)
	88, 750, 4444 (kerberos_port_t)
	9080 (ocsp_port_t)
neutron_t: tcp name_bind
	32768-61000 (ephemeral_port_t)
	9696 (quantum_port_t)
neutron_t: udp name_bind
	32768-61000 (ephemeral_port_t)

Here is what we have so far.

Comment 2 Daniel Walsh 2013-09-11 14:14:45 UTC

e688a85bdf721499e7d24f0b454a01877351d573 allows newtron to connect to amqp port in git

Comment 3 Jakub Libosvar 2013-09-11 15:27:50 UTC

(In reply to Daniel Walsh from comment #2)
> e688a85bdf721499e7d24f0b454a01877351d573 allows newtron to connect to amqp
> port in git

Is it gonna be applied for Grizzly which uses quantum_t?

Comment 4 Daniel Walsh 2013-09-11 17:47:00 UTC

That is up 2 miroslov when he back ports it.

Comment 5 Miroslav Grepl 2013-09-30 12:40:50 UTC

Forwarded to Lukas.

Comment 6 Lukas Vrabec 2013-09-30 13:15:37 UTC

#============= quantum_t ==============

#!!!! This avc is allowed in the current policy
allow quantum_t amqp_port_t:tcp_socket name_connect;


$ rpm -q selinux-policy
selinux-policy-3.12.1-74.8.fc19.noarch


Fix is included in the current release of package.

Note You need to log in before you can comment on or make changes to this bug.