Description of problem: neutron-vpn-agent fails to run successfully due to inability to run arping. it should be allowed to do the same things that the l3 agent does. Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1. service neutron-vpn-agent start 2. 3. Actual results: ---- type=SYSCALL msg=audit(12/05/2013 23:49:30.485:92783) : arch=x86_64 syscall=execve success=yes exit=0 a0=7fffe053de48 a1=7fffe05420b8 a2=7fffe0542100 a3=7fffe053dc80 items=0 ppid=14929 pid=14931 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=arping exe=/sbin/arping subj=unconfined_u:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(12/05/2013 23:49:30.485:92783) : avc: denied { execute_no_trans } for pid=14931 comm=ip path=/sbin/arping dev=dm-0 ino=132672 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file type=AVC msg=audit(12/05/2013 23:49:30.485:92783) : avc: denied { read open } for pid=14931 comm=ip name=arping dev=dm-0 ino=132672 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file type=AVC msg=audit(12/05/2013 23:49:30.485:92783) : avc: denied { execute } for pid=14931 comm=ip name=arping dev=dm-0 ino=132672 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file ---- type=SYSCALL msg=audit(12/05/2013 23:49:30.485:92784) : arch=x86_64 syscall=setuid success=yes exit=0 a0=0 a1=0 a2=7f48513d4300 a3=7fff8da5e560 items=0 ppid=14929 pid=14931 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=arping exe=/sbin/arping subj=unconfined_u:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(12/05/2013 23:49:30.485:92784) : avc: denied { setuid } for pid=14931 comm=arping capability=setuid scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:system_r:ifconfig_t:s0 tclass=capability ---- type=SYSCALL msg=audit(12/05/2013 23:49:53.932:93119) : arch=x86_64 syscall=execve success=no exit=-13(Permission denied) a0=7fffc1b9d3a8 a1=7fffc1ba1618 a2=7fffc1ba1660 a3=7fffc1b9d1e0 items=0 ppid=15281 pid=15283 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=ip exe=/sbin/ip subj=unconfined_u:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(12/05/2013 23:49:53.932:93119) : avc: denied { execute } for pid=15283 comm=ip name=arping dev=dm-0 ino=132672 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file ---- type=SYSCALL msg=audit(12/05/2013 23:49:53.932:93120) : arch=x86_64 syscall=execve success=no exit=-13(Permission denied) a0=7fffc1b9d3a4 a1=7fffc1ba1618 a2=7fffc1ba1660 a3=7fffc1b9d1e0 items=0 ppid=15281 pid=15283 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=ip exe=/sbin/ip subj=unconfined_u:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(12/05/2013 23:49:53.932:93120) : avc: denied { execute } for pid=15283 comm=ip name=arping dev=dm-0 ino=132672 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file ---- type=SYSCALL msg=audit(12/05/2013 23:49:55.505:93211) : arch=x86_64 syscall=execve success=no exit=-13(Permission denied) a0=7fff5036dce8 a1=7fff50371f58 a2=7fff50371fa0 a3=7fff5036db20 items=0 ppid=15394 pid=15398 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=ip exe=/sbin/ip subj=unconfined_u:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(12/05/2013 23:49:55.505:93211) : avc: denied { execute } for pid=15398 comm=ip name=arping dev=dm-0 ino=132672 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file ---- type=SYSCALL msg=audit(12/05/2013 23:49:55.505:93212) : arch=x86_64 syscall=execve success=no exit=-13(Permission denied) a0=7fff5036dce4 a1=7fff50371f58 a2=7fff50371fa0 a3=7fff5036db20 items=0 ppid=15394 pid=15398 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=ip exe=/sbin/ip subj=unconfined_u:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(12/05/2013 23:49:55.505:93212) : avc: denied { execute } for pid=15398 comm=ip name=arping dev=dm-0 ino=132672 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file Expected results: no selinux errors
Is this a case where we get ifconfig_t instead of neutron_t?
If no, netutils_domtrans(ifconfig_t)
Miroslav, neutron-vpn-agent is simply with the wrong label like a few other neutron daemons. I'll semanage it in %post, but we'll need a clone fix in 6.5. /usr/bin/neutron-vpn-agent needs to be neutron_exec_t:s0
Created attachment 834385 [details] Spec file change
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2013-1859.html