Created attachment 881584 [details] avc denials logged in permissive mode Description of problem: Within a tripleo-based instack-undercloud environment, nova baremetal instances fail to find an image to boot when selinux is set to enforcing mode. The instances are able to boot when selinux is set to permissive mode. Version-Release number of selected component (if applicable): selinux-policy-3.12.1-135.fc20.noarch selinux-policy-targeted-3.12.1-135.fc20.noarch openstack-neutron-2014.1-0.10.b3.fc21.noarch openstack-neutron-openvswitch-2014.1-0.10.b3.fc21.noarch iproute-3.12.0-2.fc20.x86_64 tftp-server-5.2-10.fc20.x86_64 dnsmasq-2.68-1.fc20.x86_64 How reproducible: Always Steps to Reproduce: 1. install instack-undercloud using instructions on https://github.com/agroup, use README-virt to setup your baremetal nodes and a instack vm. Afterwards I use the packages based install using the instack-undercloud source instead of the rpm. I will attach instack.answers and deployrc which are additional configuration files. The commands I run to install the undercloud and then deploy the overcloud are: sudo yum -y install http://repos.fedorapeople.org/repos/openstack-m/openstack-m/openstack-m-release-icehouse-2.noarch.rpm sudo yum -y install yum-utils git sudo yum-config-manager --enable fedora-openstack-m-testing [ -d instack-undercloud ] || git clone https://github.com/agroup/instack-undercloud -b selinux sed -i 's/\/usr\/share\/instack-undercloud\/json/instack-undercloud\/json/g' instack-undercloud/scripts/instack-install-undercloud-packages sed -i 's/\/usr\/share\/instack-undercloud/instack-undercloud\/elements/g' instack-undercloud/scripts/instack-install-undercloud-packages export PATH=instack-undercloud/scripts:$PATH sudo yum -y install instack instack-install-undercloud-packages sudo tuskar-dbsync --config-file /etc/tuskar/tuskar.conf sudo service openstack-tuskar-api restart instack-prepare-for-overcloud source deployrc instack-deploy-overcloud Actual results: baremetal nodes fail to boot when selinux is enforcing Expected results: baremetal nodes should boot and instack-deploy-overcloud should complete successfully when selinux is enforcing Additional info:
Created attachment 881586 [details] instack.answers file used in undercloud install Usually only need to change VIRTUAL_POWER_USER, VIRTUAL_POWER_HOST, and SSH_KEY to match your environment.
Created attachment 881587 [details] deployrc file containing additional environment variables needed when deploying the overcloud Usually only need to change MACS to match your environment.
commit e95d2ee0354f1186f06a2b7f5e331edcee9fe318 Author: Miroslav Grepl <mgrepl> Date: Wed Apr 2 10:51:46 2014 +0200 Add additional fixes for neutron_t. #1083335
The additional fixes for neutron_t plus relabeling /tftpboot eliminates the avc denials I was seeing before when selinux is set to permissive mode. So thank you for the quick turn around. But when selinux is set to enforcing I see additional denials. It happens less than half of the time when I startup the instances and didn't affect all the instances. I will post them as an attachment here. In permissive mode I did notice one other denial when the baremetal instances are shutdown. I will attach the audit log too.
Created attachment 882086 [details] avc denials seen after neutron_t and /tftpfoot fixes in enforcing mode
Created attachment 882087 [details] avc denials seen after neutron_t and /tftpboot fixes in permissive mode
Try to add a local policy 1. Re-test in permissive 2. ausearch -m avc -ts recent |audit2allow -M mypol 3. semodule -i mypol.pp and re-test again in enforcing.
Hi Miroslav, I added a few custom policies and they have eliminated the avc denials. I will upload them in an attachment. Can we have them incorporated into the next selinux policy package update? Thanks.
Created attachment 882398 [details] custom policies to fix avc denials
commit effbcb0850772b84d39fadc3da4dc81f50643a4c Author: Miroslav Grepl <mgrepl> Date: Fri Apr 4 09:35:19 2014 +0200 Allow net_raw cap for neutron_t and send sigkill to dnsmasq
I see it got incorporated into http://koji.fedoraproject.org/koji/buildinfo?buildID=509270. Thank you.
selinux-policy-3.12.1-152.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-152.fc20
Package selinux-policy-3.12.1-152.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-152.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-4933/selinux-policy-3.12.1-152.fc20 then log in and leave karma (feedback).
Package selinux-policy-3.12.1-153.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-153.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-4933/selinux-policy-3.12.1-153.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-153.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.