1049807 – neutron-dhcp-agent fails to start with plenty of SELinux AVC denials

RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/

Bug 1049807 - neutron-dhcp-agent fails to start with plenty of SELinux AVC denials

Summary: neutron-dhcp-agent fails to start with plenty of SELinux AVC denials

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	RDO
Classification:	Community
Component:	openstack-neutron
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	RHOS Maint
QA Contact:	Ofer Blaut
Docs Contact:
URL:
Whiteboard:
Depends On:	1049817
Blocks:
TreeView+	depends on / blocked

Reported:	2014-01-08 09:19 UTC by Kashyap Chamarthy
Modified:	2019-09-10 14:10 UTC (History)
CC List:	3 users (show)
Fixed In Version:	selinux-policy-3.12.1-113.fc20
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1049817 (view as bug list)
Environment:
Last Closed:	2016-06-05 23:15:50 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Kashyap Chamarthy 2014-01-08 09:19:35 UTC

Description of problem
----------------------

Starting neutron-dhcp-agent fails with a lot of SELinux denials.

Large stack traces along the lines of:

    [. . .]
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     self.register(fileno, new=True)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/eventlet/hubs/poll.py", line 44, in register
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     self.poll.register(fileno, mask)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent IOError: [Errno 22] Invalid argument
    [. . .]

SELinux details:

    $ cat /var/log/audit/audit.log | audit2allow -R                                                            
    
    require {
            type neutron_t;
            type proc_net_t;
            type sysfs_t;
            type dnsmasq_etc_t;
            class process { signal setcap };
            class rawip_socket { getopt create setopt };
            class capability { net_raw chown net_admin dac_override sys_admin net_bind_service };
            class file { getattr read open };
            class filesystem { mount unmount };
            class netlink_route_socket nlmsg_write;
    }
    
    #============= neutron_t ==============
    allow neutron_t dnsmasq_etc_t:file { read getattr open };
    allow neutron_t proc_net_t:file { read getattr open };
    allow neutron_t self:capability { net_raw chown net_admin sys_admin net_bind_service dac_override };
    allow neutron_t self:netlink_route_socket nlmsg_write;
    allow neutron_t self:process { signal setcap };
    allow neutron_t self:rawip_socket { getopt create setopt };
    allow neutron_t sysfs_t:filesystem { mount unmount };
    corenet_tcp_bind_dns_port(neutron_t)
    corenet_udp_bind_dhcpd_port(neutron_t)
    corenet_udp_bind_dns_port(neutron_t)
    dev_mounton_sysfs(neutron_t)
    dnsmasq_exec(neutron_t)
    files_mounton_rootfs(neutron_t)
    iptables_exec(neutron_t)
    kernel_getattr_proc(neutron_t)
    kernel_request_load_module(neutron_t)


Version
-------

    $ rpm -q openstack-neutron openvswitch dnsmasq selinux-policy
    openstack-neutron-2014.1-0.1.b1.fc21.noarch
    openvswitch-2.0.0-1.fc20.x86_64
    dnsmasq-2.68-0.1.rc3.fc20.x86_64
    selinux-policy-3.12.1-106.fc20.noarch


How reproducible: Consistently.


Steps to Reproduce
------------------

    $ setenforce 1
    $ systemctl restart neutron-dhcp-agent
    $ systemctl status neutron-dhcp-agent


Actual results 
--------------

neutron-dhcp-agent fails to start.

    $ less /var/log/neutron/dhcp-agent.log
    [. . .]
    2014-01-08 02:55:41.233 22829 TRACE neutron.openstack.common.threadgroup IOError: [Errno 22] Invalid argument
    2014-01-08 02:55:41.233 22829 TRACE neutron.openstack.common.threadgroup 
    2014-01-08 02:55:41.245 22829 ERROR neutron.agent.dhcp_agent [req-b5b70480-626b-41c6-bdaa-f24c6a6f5fd8 None None] Failed reporting state!
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent Traceback (most recent call last):
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/neutron/agent/dhcp_agent.py", line 577, in _report_state
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     self.state_rpc.report_state(ctx, self.agent_state, self.use_call)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/neutron/agent/rpc.py", line 72, in report_state
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     return self.call(context, msg, topic=self.topic)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/neutron/openstack/common/rpc/proxy.py", line 126, in call
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     result = rpc.call(context, real_topic, msg, timeout)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/neutron/openstack/common/rpc/__init__.py", line 140, in call
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     return _get_impl().call(CONF, context, topic, msg, timeout)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/neutron/openstack/common/rpc/impl_qpid.py", line 767, in call
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     rpc_amqp.get_connection_pool(conf, Connection))
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/neutron/openstack/common/rpc/amqp.py", line 549, in call
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     rv = multicall(conf, context, topic, msg, timeout, connection_pool)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/neutron/openstack/common/rpc/amqp.py", line 539, in multicall
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     connection_pool.reply_proxy = ReplyProxy(conf, connection_pool)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/neutron/openstack/common/rpc/amqp.py", line 192, in __init__
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     super(ReplyProxy, self).__init__(conf, connection_pool, pooled=False)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/neutron/openstack/common/rpc/amqp.py", line 126, in __init__
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     server_params=server_params)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/neutron/openstack/common/rpc/impl_qpid.py", line 458, in __init__
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     self.reconnect()
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/neutron/openstack/common/rpc/impl_qpid.py", line 499, in reconnect
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     self.connection.open()
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "<string>", line 6, in open
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/qpid/messaging/endpoints.py", line 273, in open
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     self.attach(timeout=timeout)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "<string>", line 6, in attach
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/qpid/messaging/endpoints.py", line 291, in attach
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     if not self._ewait(lambda: self._transport_connected and not self._unlinked(), timeout=timeout):
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/qpid/messaging/endpoints.py", line 224, in _ewait
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     self.check_error()
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/qpid/messaging/endpoints.py", line 217, in check_error
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     raise e
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent InternalError: Traceback (most recent call last):
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/qpid/messaging/driver.py", line 495, in dispatch
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     self.connect()
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/qpid/messaging/driver.py", line 522, in connect
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     self._transport = trans(self.connection, host, port)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/qpid/messaging/transports.py", line 28, in __init__
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     self.socket = connect(host, port)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/qpid/util.py", line 68, in connect
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     sock.connect(sa)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/eventlet/greenio.py", line 180, in connect
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     trampoline(fd, write=True)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/eventlet/hubs/__init__.py", line 119, in trampoline
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     listener = hub.add(hub.WRITE, fileno, current.switch)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/eventlet/hubs/epolls.py", line 52, in add
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     self.register(fileno, new=True)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent   File "/usr/lib/python2.7/site-packages/eventlet/hubs/poll.py", line 44, in register
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent     self.poll.register(fileno, mask)
    2014-01-08 02:55:41.245 22829 TRACE neutron.agent.dhcp_agent IOError: [Errno 22] Invalid argument
    [. . .]


Expected results
----------------

neutron-dhcp-agent should starts successfully with SELinux in Enforcing.


Additional info
---------------

- Not all neutron /usr/bin/neutron-* files have neutron_exec_t:

    $ ls -lZ /usr/bin/neutron* 
    -rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/neutron
    -rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/neutron-db-manage
    -rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/neutron-debug
    -rwxr-xr-x. root root system_u:object_r:neutron_exec_t:s0 /usr/bin/neutron-dhcp-agent
    -rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/neutron-dhcp-setup
    -rwxr-xr-x. root root system_u:object_r:neutron_exec_t:s0 /usr/bin/neutron-l3-agent
    -rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/neutron-l3-setup
    -rwxr-xr-x. root root system_u:object_r:neutron_exec_t:s0 /usr/bin/neutron-lbaas-agent
    -rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/neutron-metadata-agent
    -rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/neutron-netns-cleanup
    -rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/neutron-node-setup
    -rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/neutron-ns-metadata-proxy
    -rwxr-xr-x. root root system_u:object_r:neutron_exec_t:s0 /usr/bin/neutron-openvswitch-agent
    -rwxr-xr-x. root root system_u:object_r:neutron_exec_t:s0 /usr/bin/neutron-ovs-cleanup
    -rwxr-xr-x. root root system_u:object_r:neutron_exec_t:s0 /usr/bin/neutron-rootwrap
    -rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/neutron-rootwrap-xen-dom0
    -rwxr-xr-x. root root system_u:object_r:neutron_exec_t:s0 /usr/bin/neutron-server
    -rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/neutron-server-setup
    -rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/neutron-usage-audit


- Workaround: Place SELinux in Permissive mode

    $ setenforce 0
    $ systemctl restart neutron-dhcp-agent
    $ systemctl status neutron-dhcp-agent


- Related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1024330

Comment 1 Kashyap Chamarthy 2014-01-08 09:45:14 UTC

Complete SELinux audit.log with raw AVC messages:

  http://kashyapc.fedorapeople.org/temp/audit.log

Comment 2 Kashyap Chamarthy 2014-01-08 14:49:35 UTC

Fix provided here (thanks to Miloslav Grepl): https://bugzilla.redhat.com/show_bug.cgi?id=1049817#c1

Comment 3 Kashyap Chamarthy 2014-01-08 16:41:17 UTC

Version:

    $ rpm -q selinux-policy openstack-neutron
    selinux-policy-3.12.1-113.fc20.noarch
    openstack-neutron-2014.1-0.1.b1.fc21.noarch


I can confirm this makes the neutron-dhcp-agent start successfully;
however; I still see some errors like below:

    $ > /var/log/audit/audit.log
    $ systemctl restart neutron-dhcp-agent
    $ cat /var/log/audit/audit.log | audit2allow -R

    require {
            type neutron_t;
            type ifconfig_var_run_t;
            class process signal;
            class netlink_route_socket nlmsg_write;
            class dir search;
    }

    #============= neutron_t ==============
    allow neutron_t ifconfig_var_run_t:dir search;
    allow neutron_t self:netlink_route_socket nlmsg_write;
    allow neutron_t self:process signal;


Complete audit.log while I ran the above test: 
http://kashyapc.fedorapeople.org/temp/audit.log2.txt

Comment 4 Mike McCune 2016-03-28 23:26:37 UTC

This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions

Comment 5 Assaf Muller 2016-06-05 23:15:50 UTC

The DHCP agent starts up without SELinux violations at this stage, I think it's reasonable to close the bug.

Note You need to log in before you can comment on or make changes to this bug.