Created attachment 817062 [details] dhcp-agent.log Description of problem: Trying to start up the neutron-dhcp-agent fails because of SELinux. After setenforce 0 it starts correctly. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1.Start neutron-dhcp-agent in an openstack fresh install (with packstack). Actual results: neutron-dhcp-agent fails to start. Expected results: neutron-dhcp-agent should start correctly. Additional info: Verified in Fedora 19 Cloud Image with Openstack Havana (installed with packstack). Relevant part of the logs attached. Because the output of audit2why is very verbose I attached only a small subset consisting of the first messages that seemed to have something to do with neutron-dhcp-agent. I can try to provide more info if needed.
Created attachment 817063 [details] audit2allow
Created attachment 817064 [details] audit2why
selinux-policy and selinux-policy-targeted versions are 3.12.1.
Diogo, thanks for the report, a couple of things: (1) You haven't specified complete NVR of the package you're using. You only specified version of package in comment #3 but not the revision number. Note that 3.12.1 can have a lot of *revisions* -- http://koji.fedoraproject.org/koji/packageinfo?packageID=32. Next time, please specify full Name-Version-Release of a package. e.g. selinux-policy-3.12.1-74.10.fc19 (*if* that was the N-V-R that didn't work for you), so that it's easy to debug/narrow down issues. Friendly reminder: https://wiki.openstack.org/wiki/BugFilingRecommendations (2) Can you try with latest selinux-policy and selinux-policy-targeted version packages for 6.4 in case you were using older ones? (3) If you have time, it'll also be useful to generate a reference policy to narrow down specific AVC denials. A few commands you can try: # Enable SELinux $ setenforce 1 # Clear your audit log $ > /var/log/audit/audit.log # Restart neutron-dhcp-agent $ systemctl restart neutron-dhcp-agent # Show a reference policy $ cat /var/log/audit/audit.log | audit2allow -R And, if you're feeling more adventurous, you can even generate the policy by doing: # Generate an SELinux loadable module package $ audit2allow -a -M neutron # Install the Policy Package $ semodule -i neutron.pp # Restart neutron-dhcp-agent again $ systemctl restart neutron-dhcp-agent See if it alleviates your problem. Ref: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html Lon, please correct me if I said something wrong here.
> > (2) Can you try with latest selinux-policy and selinux-policy-targeted > version packages for 6.4 in case you were using older ones? I meant, for F19.
neutron-dhcp-agent simply needs the right label - it should be neutron_exec_t; we shouldn't need specific policies for it.
quantum.fc:/usr/bin/neutron-dhcp-agent -- gen_context(system_u:object_r:neutron_exec_t,s0) We need to back port all changes to F19. CC-ing Lukas.
Ping, just a periodical combing through RDO bugs. Any update here?
I believe it has been already added to F19.
I checked it and add some missing rules to F19 branch. commit f91e97aa6f13dd05d750a79f0a87de5364a03c73 Author: Lukas Vrabec <lvrabec> Date: Thu Apr 17 18:22:00 2014 +0200 Add some rules from F20 branch in quantum policy