+++ This bug was initially created as a clone of Bug #1024330 +++

Description of problem:
Trying to start up the neutron-dhcp-agent fails because of SELinux. After setenforce 0 it starts correctly.

Version-Release number of selected component (if applicable):

How reproducible:
Always

Steps to Reproduce:
1.Start neutron-dhcp-agent in an openstack fresh install (with packstack).

Actual results:
neutron-dhcp-agent fails to start.


Expected results:
neutron-dhcp-agent should start correctly.


Additional info:
Verified in Fedora 19 Cloud Image with Openstack Havana (installed with packstack).

Relevant part of the logs attached. Because the output of audit2why is very verbose I attached only a small subset consisting of the first messages that seemed to have something to do with neutron-dhcp-agent. I can try to provide more info if needed.

--- Additional comment from Diogo Vieira on 2013-10-29 08:16:38 EDT ---



--- Additional comment from Diogo Vieira on 2013-10-29 08:17:09 EDT ---



--- Additional comment from Diogo Vieira on 2013-10-29 08:21:33 EDT ---

selinux-policy and selinux-policy-targeted versions are 3.12.1.

--- Additional comment from Kashyap Chamarthy on 2013-12-11 16:47:34 EST ---

Diogo, thanks for the report, a couple of things:

(1) You haven't specified complete NVR of the package you're using. You only specified version of package in comment #3 but not the revision number. Note that 3.12.1 can have a lot of *revisions* -- http://koji.fedoraproject.org/koji/packageinfo?packageID=32.

Next time, please specify full Name-Version-Release of a package. e.g. selinux-policy-3.12.1-74.10.fc19 (*if* that was the N-V-R that didn't work for you), so that it's easy to debug/narrow down issues.

  Friendly reminder: https://wiki.openstack.org/wiki/BugFilingRecommendations


(2) Can you try with latest selinux-policy and selinux-policy-targeted version packages for 6.4 in case you were using older ones?

(3) If you have time, it'll also be useful to generate a reference policy to narrow down specific AVC denials. A few commands you can try:


  # Enable SELinux
  $ setenforce 1

  # Clear your audit log
  $ > /var/log/audit/audit.log

  # Restart neutron-dhcp-agent
  $ systemctl restart neutron-dhcp-agent

  # Show a reference policy
  $ cat /var/log/audit/audit.log | audit2allow -R

And, if you're feeling more adventurous, you can even generate the policy by doing:

  # Generate an SELinux loadable module package
  $ audit2allow -a -M neutron                                      

  # Install the Policy Package
  $ semodule -i neutron.pp

  # Restart neutron-dhcp-agent again
  $ systemctl restart neutron-dhcp-agent

See if it alleviates your problem.

Ref: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html

Lon, please correct me if I said something wrong here.

--- Additional comment from Kashyap Chamarthy on 2013-12-11 16:49:31 EST ---


> 
> (2) Can you try with latest selinux-policy and selinux-policy-targeted
> version packages for 6.4 in case you were using older ones?

I meant, for F19.

--- Additional comment from Lon Hohberger on 2014-01-02 16:52:53 EST ---

neutron-dhcp-agent simply needs the right label - it should be neutron_exec_t; we shouldn't need specific policies for it.

--- Additional comment from Miroslav Grepl on 2014-01-06 09:04:45 EST ---

quantum.fc:/usr/bin/neutron-dhcp-agent     --  gen_context(system_u:object_r:neutron_exec_t,s0)

We need to back port all changes to F19. CC-ing Lukas.

--- Additional comment from Kashyap Chamarthy on 2014-02-19 07:52:46 EST ---

Ping, just a periodical combing through RDO bugs. 

Any update here?