Bug 1024330 - Wrong SELinux policies set for neutron-dhcp-agent
Wrong SELinux policies set for neutron-dhcp-agent
Product: RDO
Classification: Community
Component: openstack-selinux (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Ryan Hallisey
Ofer Blaut
Depends On:
Blocks: 1072983
  Show dependency treegraph
Reported: 2013-10-29 08:15 EDT by Diogo Vieira
Modified: 2016-04-26 11:21 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1072983 (view as bug list)
Last Closed: 2016-03-30 19:09:45 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
dhcp-agent.log (9.28 KB, text/plain)
2013-10-29 08:15 EDT, Diogo Vieira
no flags Details
audit2allow (1.30 KB, text/plain)
2013-10-29 08:16 EDT, Diogo Vieira
no flags Details
audit2why (753 bytes, text/plain)
2013-10-29 08:17 EDT, Diogo Vieira
no flags Details

  None (edit)
Description Diogo Vieira 2013-10-29 08:15:57 EDT
Created attachment 817062 [details]

Description of problem:
Trying to start up the neutron-dhcp-agent fails because of SELinux. After setenforce 0 it starts correctly.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Start neutron-dhcp-agent in an openstack fresh install (with packstack).

Actual results:
neutron-dhcp-agent fails to start.

Expected results:
neutron-dhcp-agent should start correctly.

Additional info:
Verified in Fedora 19 Cloud Image with Openstack Havana (installed with packstack).

Relevant part of the logs attached. Because the output of audit2why is very verbose I attached only a small subset consisting of the first messages that seemed to have something to do with neutron-dhcp-agent. I can try to provide more info if needed.
Comment 1 Diogo Vieira 2013-10-29 08:16:38 EDT
Created attachment 817063 [details]
Comment 2 Diogo Vieira 2013-10-29 08:17:09 EDT
Created attachment 817064 [details]
Comment 3 Diogo Vieira 2013-10-29 08:21:33 EDT
selinux-policy and selinux-policy-targeted versions are 3.12.1.
Comment 4 Kashyap Chamarthy 2013-12-11 16:47:34 EST
Diogo, thanks for the report, a couple of things:

(1) You haven't specified complete NVR of the package you're using. You only specified version of package in comment #3 but not the revision number. Note that 3.12.1 can have a lot of *revisions* -- http://koji.fedoraproject.org/koji/packageinfo?packageID=32.

Next time, please specify full Name-Version-Release of a package. e.g. selinux-policy-3.12.1-74.10.fc19 (*if* that was the N-V-R that didn't work for you), so that it's easy to debug/narrow down issues.

  Friendly reminder: https://wiki.openstack.org/wiki/BugFilingRecommendations

(2) Can you try with latest selinux-policy and selinux-policy-targeted version packages for 6.4 in case you were using older ones?

(3) If you have time, it'll also be useful to generate a reference policy to narrow down specific AVC denials. A few commands you can try:

  # Enable SELinux
  $ setenforce 1

  # Clear your audit log
  $ > /var/log/audit/audit.log

  # Restart neutron-dhcp-agent
  $ systemctl restart neutron-dhcp-agent

  # Show a reference policy
  $ cat /var/log/audit/audit.log | audit2allow -R

And, if you're feeling more adventurous, you can even generate the policy by doing:

  # Generate an SELinux loadable module package
  $ audit2allow -a -M neutron                                      

  # Install the Policy Package
  $ semodule -i neutron.pp

  # Restart neutron-dhcp-agent again
  $ systemctl restart neutron-dhcp-agent

See if it alleviates your problem.

Ref: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html

Lon, please correct me if I said something wrong here.
Comment 5 Kashyap Chamarthy 2013-12-11 16:49:31 EST
> (2) Can you try with latest selinux-policy and selinux-policy-targeted
> version packages for 6.4 in case you were using older ones?

I meant, for F19.
Comment 6 Lon Hohberger 2014-01-02 16:52:53 EST
neutron-dhcp-agent simply needs the right label - it should be neutron_exec_t; we shouldn't need specific policies for it.
Comment 7 Miroslav Grepl 2014-01-06 09:04:45 EST
quantum.fc:/usr/bin/neutron-dhcp-agent     --  gen_context(system_u:object_r:neutron_exec_t,s0)

We need to back port all changes to F19. CC-ing Lukas.
Comment 8 Kashyap Chamarthy 2014-02-19 07:52:46 EST
Ping, just a periodical combing through RDO bugs. 

Any update here?
Comment 9 Miroslav Grepl 2014-04-17 07:55:08 EDT
I believe it has been already added to F19.
Comment 10 Lukas Vrabec 2014-04-18 04:49:46 EDT
I checked it and add some missing rules to F19 branch.

commit f91e97aa6f13dd05d750a79f0a87de5364a03c73
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Thu Apr 17 18:22:00 2014 +0200

    Add some rules from F20 branch in quantum policy

Note You need to log in before you can comment on or make changes to this bug.