Created attachment 817726 [details] /var/log/messages excerpt on neutron network node Description of problem: SELINUX cannot be enforced on neutron network node otherwise instances cannot obtain their IP addresses from neutron dhcp-agent dnsmasq gets denied Version RDO Havana 3 on RHEL 6.4 using Neutron GRE Tunnel Actual results: Instances cannot obtain IP addresses Expected results: Instances to get their DHCP based IP addresses Additional info: Attached /var/log/messages
Agreed, I can reproduce this on my Fedora-20. Just to note, it'd be useful to also post the result of: $ cat /var/log/audit/audit.log | audit2allow -R which would generate a reference policy.
Gilles, Can you confirm that you still see this behavior with the current packages in RDO? If so, can you please attached the output that Kashyap requested? Thanks!
I believe it's going to be fixed with commit 5bd0f89664a31c8025af8549d5c1116da7a63922 Author: Dan Walsh <dwalsh> Date: Thu May 1 08:45:53 2014 -0400 Additional rules required by openstack, needs backport to F20 and RHEL7 diff --git a/quantum.te b/quantum.te index 73944a1..96f804c 100644 --- a/quantum.te +++ b/quantum.te @@ -29,7 +29,8 @@ systemd_unit_file(neutron_unit_file_t) # Local policy # -allow neutron_t self:capability { sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw }; +allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw };
Catching up. For follow up please reach out to Will Foster. Thanks
This appears to have been resolved in recent packages. Using the RDO Juno release, with the network node running in enforcing mode, I am able to successfully boot instances and access them via ping/ssh.