Bug 1039204
| Summary: | neutron-vpn-agent needs permission for arping | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Terry Wilson <twilson> | ||||
| Component: | openstack-selinux | Assignee: | Lon Hohberger <lhh> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Ofer Blaut <oblaut> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 4.0 | CC: | breeler, ddomingo, hateya, lhh, lpeer, mgrepl, sclewis, yeylon | ||||
| Target Milestone: | rc | Keywords: | OtherQA | ||||
| Target Release: | 4.0 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | openstack-selinux-0.1.3-2.el6ost | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 1042939 (view as bug list) | Environment: | |||||
| Last Closed: | 2013-12-20 00:43:20 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1032450, 1042939 | ||||||
| Attachments: |
|
||||||
Is this a case where we get ifconfig_t instead of neutron_t? If no, netutils_domtrans(ifconfig_t) Miroslav, neutron-vpn-agent is simply with the wrong label like a few other neutron daemons. I'll semanage it in %post, but we'll need a clone fix in 6.5. /usr/bin/neutron-vpn-agent needs to be neutron_exec_t:s0 Created attachment 834385 [details]
Spec file change
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2013-1859.html |
Description of problem: neutron-vpn-agent fails to run successfully due to inability to run arping. it should be allowed to do the same things that the l3 agent does. Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1. service neutron-vpn-agent start 2. 3. Actual results: ---- type=SYSCALL msg=audit(12/05/2013 23:49:30.485:92783) : arch=x86_64 syscall=execve success=yes exit=0 a0=7fffe053de48 a1=7fffe05420b8 a2=7fffe0542100 a3=7fffe053dc80 items=0 ppid=14929 pid=14931 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=arping exe=/sbin/arping subj=unconfined_u:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(12/05/2013 23:49:30.485:92783) : avc: denied { execute_no_trans } for pid=14931 comm=ip path=/sbin/arping dev=dm-0 ino=132672 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file type=AVC msg=audit(12/05/2013 23:49:30.485:92783) : avc: denied { read open } for pid=14931 comm=ip name=arping dev=dm-0 ino=132672 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file type=AVC msg=audit(12/05/2013 23:49:30.485:92783) : avc: denied { execute } for pid=14931 comm=ip name=arping dev=dm-0 ino=132672 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file ---- type=SYSCALL msg=audit(12/05/2013 23:49:30.485:92784) : arch=x86_64 syscall=setuid success=yes exit=0 a0=0 a1=0 a2=7f48513d4300 a3=7fff8da5e560 items=0 ppid=14929 pid=14931 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=arping exe=/sbin/arping subj=unconfined_u:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(12/05/2013 23:49:30.485:92784) : avc: denied { setuid } for pid=14931 comm=arping capability=setuid scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:system_r:ifconfig_t:s0 tclass=capability ---- type=SYSCALL msg=audit(12/05/2013 23:49:53.932:93119) : arch=x86_64 syscall=execve success=no exit=-13(Permission denied) a0=7fffc1b9d3a8 a1=7fffc1ba1618 a2=7fffc1ba1660 a3=7fffc1b9d1e0 items=0 ppid=15281 pid=15283 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=ip exe=/sbin/ip subj=unconfined_u:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(12/05/2013 23:49:53.932:93119) : avc: denied { execute } for pid=15283 comm=ip name=arping dev=dm-0 ino=132672 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file ---- type=SYSCALL msg=audit(12/05/2013 23:49:53.932:93120) : arch=x86_64 syscall=execve success=no exit=-13(Permission denied) a0=7fffc1b9d3a4 a1=7fffc1ba1618 a2=7fffc1ba1660 a3=7fffc1b9d1e0 items=0 ppid=15281 pid=15283 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=ip exe=/sbin/ip subj=unconfined_u:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(12/05/2013 23:49:53.932:93120) : avc: denied { execute } for pid=15283 comm=ip name=arping dev=dm-0 ino=132672 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file ---- type=SYSCALL msg=audit(12/05/2013 23:49:55.505:93211) : arch=x86_64 syscall=execve success=no exit=-13(Permission denied) a0=7fff5036dce8 a1=7fff50371f58 a2=7fff50371fa0 a3=7fff5036db20 items=0 ppid=15394 pid=15398 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=ip exe=/sbin/ip subj=unconfined_u:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(12/05/2013 23:49:55.505:93211) : avc: denied { execute } for pid=15398 comm=ip name=arping dev=dm-0 ino=132672 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file ---- type=SYSCALL msg=audit(12/05/2013 23:49:55.505:93212) : arch=x86_64 syscall=execve success=no exit=-13(Permission denied) a0=7fff5036dce4 a1=7fff50371f58 a2=7fff50371fa0 a3=7fff5036db20 items=0 ppid=15394 pid=15398 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=ip exe=/sbin/ip subj=unconfined_u:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(12/05/2013 23:49:55.505:93212) : avc: denied { execute } for pid=15398 comm=ip name=arping dev=dm-0 ino=132672 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file Expected results: no selinux errors