Bug 1006921 - SELinux is preventing Quantum to connect to qpidd
SELinux is preventing Quantum to connect to qpidd
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
19
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Lukas Vrabec
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-11 09:57 EDT by Jakub Libosvar
Modified: 2013-09-30 09:15 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-30 09:15:37 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jakub Libosvar 2013-09-11 09:57:16 EDT
Description of problem:
When selinux is enforcing, quantum cannot connect to qpidd port
type=SYSCALL msg=audit(1378907210.977:6935): arch=c000003e syscall=42 success=no exit=-115 a0=c a1=7fffd54c50d0 a2=10 a3=8e items=0 ppid=1 pid=10764 auid=4294967295 uid=164 gid=164 euid=164 suid=164 fsuid=164 egid=164 sgid=164 fsgid=164 ses=4294967295 tty=(none) comm="python" exe="/usr/bin/python2.7" subj=system_u:system_r:quantum_t:s0 key=(null)
type=AVC msg=audit(1378907210.977:6935): avc:  denied  { name_connect } for  pid=10764 comm="python" dest=5672 scontext=system_u:system_r:quantum_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket


Version-Release number of selected component (if applicable):
openstack-quantum-2013.1.3-1.fc19.noarch
selinux-policy-targeted-3.12.1-74.1.fc19.noarch


How reproducible:
Always

Steps to Reproduce:
1. Run packstack with quantum and enforcing selinux
2.
3.

Actual results:
Installation fails because of quantum doesn't start because it cannot connect to qpidd's port

Expected results:
Quantum connects to qpidd

Additional info:
Comment 1 Daniel Walsh 2013-09-11 10:13:22 EDT
What ports should quantum be allowed to connect to out of the box.

sepolicy network -d neutron_t
neutron_t: tcp name_connect
	111 (portmap_port_t)
	1186, 3306, 63132-63164 (mysqld_port_t)
	32768-61000 (ephemeral_port_t)
	35357 (keystone_port_t)
	53 (dns_port_t)
	5432 (postgresql_port_t)
	88, 750, 4444 (kerberos_port_t)
	9080 (ocsp_port_t)
neutron_t: tcp name_bind
	32768-61000 (ephemeral_port_t)
	9696 (quantum_port_t)
neutron_t: udp name_bind
	32768-61000 (ephemeral_port_t)

Here is what we have so far.
Comment 2 Daniel Walsh 2013-09-11 10:14:45 EDT
e688a85bdf721499e7d24f0b454a01877351d573 allows newtron to connect to amqp port in git
Comment 3 Jakub Libosvar 2013-09-11 11:27:50 EDT
(In reply to Daniel Walsh from comment #2)
> e688a85bdf721499e7d24f0b454a01877351d573 allows newtron to connect to amqp
> port in git

Is it gonna be applied for Grizzly which uses quantum_t?
Comment 4 Daniel Walsh 2013-09-11 13:47:00 EDT
That is up 2 miroslov when he back ports it.
Comment 5 Miroslav Grepl 2013-09-30 08:40:50 EDT
Forwarded to Lukas.
Comment 6 Lukas Vrabec 2013-09-30 09:15:37 EDT
#============= quantum_t ==============

#!!!! This avc is allowed in the current policy
allow quantum_t amqp_port_t:tcp_socket name_connect;


$ rpm -q selinux-policy
selinux-policy-3.12.1-74.8.fc19.noarch


Fix is included in the current release of package.

Note You need to log in before you can comment on or make changes to this bug.