Bug 1108187
| Summary: | SELinux blocks Non-HA neutron deployment with VLAN (comm="ovs-vsctl") | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Omri Hochman <ohochman> | ||||||
| Component: | openstack-selinux | Assignee: | Lon Hohberger <lhh> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Ami Jeain <ajeain> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | high | ||||||||
| Version: | 5.0 (RHEL 7) | CC: | lhh, mburns, mgrepl, yeylon | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | 5.0 (RHEL 7) | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | openstack-selinux-0.5.0-0.el7ost | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2014-07-08 15:14:21 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
I'm seeing this too, not sure if it's the same bug, looks like.
Jun 11 09:58:10 5254001cda3e kernel: type=1400 audit(1402480690.742:8): avc: denied { write } for pid=2955 comm="ovs-vsctl" path="/tmp/puppet20140611-2677-pdqe9r" dev="dm-0" ino=25723571 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=file
Jun 11 09:58:10 5254001cda3e kernel: type=1400 audit(1402480690.742:9): avc: denied { write } for pid=2955 comm="ovs-vsctl" path="/tmp/puppet20140611-2677-pdqe9r" dev="dm-0" ino=25723571 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=file
Jun 11 09:58:10 5254001cda3e systemd: Starting OpenStack Neutron Open vSwitch Cleanup Utility...
Jun 11 09:58:11 5254001cda3e systemd: Started OpenStack Neutron Open vSwitch Cleanup Utility.
Jun 11 09:58:11 5254001cda3e puppet-agent[2677]: (/Stage[main]/Neutron::Agents::Ovs/Service[ovs-cleanup-service]/ensure) ensure changed 'stopped' to 'running'
Jun 11 09:58:11 5254001cda3e puppet-agent[2677]: (/Stage[main]/Neutron::Server::Notifications/Nova_admin_tenant_id_setter[nova_admin_tenant_id]/ensure) created
Jun 11 09:58:11 5254001cda3e kernel: type=1400 audit(1402480691.897:10): avc: denied { write } for pid=3038 comm="ovs-vsctl" path="/tmp/puppet20140611-2677-v33adv" dev="dm-0" ino=25723571 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=file
Jun 11 09:58:11 5254001cda3e kernel: type=1400 audit(1402480691.897:11): avc: denied { write } for pid=3038 comm="ovs-vsctl" path="/tmp/puppet20140611-2677-v33adv" dev="dm-0" ino=25723571 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=file
Created attachment 907759 [details]
me
Created attachment 907760 [details]
audit.log
So, when this happens, to correctly fix this, we need to figure out how puppet is calling ovs-vsctl. To start: # ps -efZ | grep init_t To add another data point, I wasn't able to reproduce the error by using the VlanManager with packstack --allinone. I have selinux-policy-targeted-3.12.1-153.el7_0.10.noarch. Verified : openstack-selinux-0.5.2-2.el7ost.noarch openstack-puppet-modules-2014.1-16.2.el6ost.noarch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2014-0845.html |
Rubygem-Staypuft: SELinux blocks Non-HA neutron deployment with VLAN (comm="ovs-vsctl") Environment (foreman puddle: 2014-06-10.3): ------------ openstack-foreman-installer-2.0.5-1.el6ost.noarch openstack-puppet-modules-2014.1-14.1.el6ost.noarch ruby193-rubygem-foreman_openstack_simplify-0.0.6-7.el6ost.noarch selinux-policy-targeted-3.12.1-153.el7_0.10.noarch libselinux-2.2.2-6.el7.x86_64 selinux-policy-3.12.1-153.el7_0.10.noarch libselinux-ruby-2.2.2-6.el7.x86_64 libselinux-utils-2.2.2-6.el7.x86_64 libselinux-python-2.2.2-6.el7.x86_64 Description: ------------- During Installation using staypuft of neutron deployment with VLAN - the Neutron-networker / Neutron-compute will remain in status Error . Workaround : ------------- setenfore 0 /var/log/messages (Attached) : ------------------------------ Jun 11 13:06:19 001a4a16981f dbus[535]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service' Jun 11 13:06:19 001a4a16981f dbus-daemon: dbus[535]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service' Jun 11 13:06:19 001a4a16981f systemd: Starting Network Manager Script Dispatcher Service... Jun 11 13:06:19 001a4a16981f dbus-daemon: dbus[535]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher' Jun 11 13:06:19 001a4a16981f dbus[535]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher' Jun 11 13:06:19 001a4a16981f systemd: Started Network Manager Script Dispatcher Service. Jun 11 13:08:11 001a4a16981f kernel: audit_printk_skb: 48 callbacks suppressed Jun 11 13:08:11 001a4a16981f kernel: type=1400 audit(1402492091.441:440): avc: denied { write } for pid=30102 comm="ovs-vsctl" path="/tmp/puppet20140611-29744-135wz5t" dev="dm-1" ino=101120987 scontext=system _u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=file Jun 11 13:08:11 001a4a16981f kernel: type=1400 audit(1402492091.441:441): avc: denied { write } for pid=30102 comm="ovs-vsctl" path="/tmp/puppet20140611-29744-135wz5t" dev="dm-1" ino=101120987 scontext=system _u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=file Jun 11 13:08:11 001a4a16981f kernel: type=1400 audit(1402492091.602:442): avc: denied { write } for pid=30105 comm="ovs-vsctl" path="/tmp/puppet20140611-29744-1ag8fe5" dev="dm-1" ino=101120987 scontext=system _u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=file Jun 11 13:08:11 001a4a16981f kernel: type=1400 audit(1402492091.602:443): avc: denied { write } for pid=30105 comm="ovs-vsctl" path="/tmp/puppet20140611-29744-1ag8fe5" dev="dm-1" ino=101120987 scontext=system _u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=file Jun 11 13:08:11 001a4a16981f kernel: type=1400 audit(1402492091.634:444): avc: denied { write } for pid=30108 comm="ovs-vsctl" path="/tmp/puppet20140611-29744-1h0csvg" dev="dm-1" ino=101120987 scontext=system _u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=file Jun 11 13:08:11 001a4a16981f kernel: type=1400 audit(1402492091.634:445): avc: denied { write } for pid=30108 comm="ovs-vsctl" path="/tmp/puppet20140611-29744-1h0csvg" dev="dm-1" ino=101120987 scontext=system _u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=file Jun 11 13:08:11 001a4a16981f kernel: type=1400 audit(1402492091.666:446): avc: denied { write } for pid=30111 comm="ovs-vsctl" path="/tmp/puppet20140611-29744-wlufo" dev="dm-1" ino=101120987 scontext=system_u :system_r:openvswitch_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=file Jun 11 13:08:11 001a4a16981f kernel: type=1400 audit(1402492091.666:447): avc: denied { write } for pid=30111 comm="ovs-vsctl" path="/tmp/puppet20140611-29744-wlufo" dev="dm-1" ino=101120987 scontext=system_u :system_r:openvswitch_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=file Jun 11 13:08:11 001a4a16981f kernel: type=1400 audit(1402492091.701:448): avc: denied { write } for pid=30114 comm="ovs-vsctl" path="/tmp/puppet20140611-29744-2aella" dev="dm-1" ino=101120987 scontext=system_ u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=file Jun 11 13:08:11 001a4a16981f kernel: type=1400 audit(1402492091.702:449): avc: denied { write } for pid=30114 comm="ovs-vsctl" path="/tmp/puppet20140611-29744-2aella" dev="dm-1" ino=101120987 scontext=system_ u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=file Jun 11 13:08:11 001a4a16981f ovs-vsctl: ovs|00001|vsctl|INFO|Called as /usr/bin/ovs-vsctl br-set-external-id br-eth3 bridge-id br-eth3 Jun 11 13:08:11 001a4a16981f puppet-agent[29744]: (/Stage[main]/Neutron::Agents::Ovs/Neutron::Plugins::Ovs::Bridge[inter-vlan:br-eth3]/Vs_bridge[br-eth3]/external_ids) external_ids changed '' to 'bridge-id=br-et h3' From Audit.log (attached): -------------------------- type=AVC msg=audit(1402493894.436:699): avc: denied { write } for pid=31719 comm="ovs-vsctl" path="/tmp/puppet20140611-31236-1d2fgky" dev="dm-1" ino=101120987 scontext=system_u:system_r:openvswitch_t:s0 tcont ext=system_u:object_r:init_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1402493894.436:699): arch=c000003e syscall=59 success=yes exit=0 a0=2d58508 a1=4ac5018 a2=3d46890 a3=7fff046960c0 items=0 ppid=31236 pid=31719 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsu id=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ovs-vsctl" exe="/usr/bin/ovs-vsctl" subj=system_u:system_r:openvswitch_t:s0 key=(null) type=AVC msg=audit(1402493894.466:700): avc: denied { write } for pid=31722 comm="ovs-vsctl" path="/tmp/puppet20140611-31236-642fdw" dev="dm-1" ino=101120987 scontext=system_u:system_r:openvswitch_t:s0 tconte xt=system_u:object_r:init_tmp_t:s0 tclass=file type=AVC msg=audit(1402493894.466:700): avc: denied { write } for pid=31722 comm="ovs-vsctl" path="/tmp/puppet20140611-31236-642fdw" dev="dm-1" ino=101120987 scontext=system_u:system_r:openvswitch_t:s0 tconte xt=system_u:object_r:init_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1402493894.466:700): arch=c000003e syscall=59 success=yes exit=0 a0=2d5dda0 a1=44687b8 a2=3d46890 a3=7fff046959c0 items=0 ppid=31236 pid=31722 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsu id=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ovs-vsctl" exe="/usr/bin/ovs-vsctl" subj=system_u:system_r:openvswitch_t:s0 key=(null) type=AVC msg=audit(1402493894.500:701): avc: denied { write } for pid=31725 comm="ovs-vsctl" path="/tmp/puppet20140611-31236-18fpbim" dev="dm-1" ino=101120987 scontext=system_u:system_r:openvswitch_t:s0 tcont ext=system_u:object_r:init_tmp_t:s0 tclass=file type=AVC msg=audit(1402493894.500:701): avc: denied { write } for pid=31725 comm="ovs-vsctl" path="/tmp/puppet20140611-31236-18fpbim" dev="dm-1" ino=101120987 scontext=system_u:system_r:openvswitch_t:s0 tcont ext=system_u:object_r:init_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1402493894.500:701): arch=c000003e syscall=59 success=yes exit=0 a0=2fe0c08 a1=4efe3c8 a2=3d46890 a3=7fff046963e0 items=0 ppid=31236 pid=31725 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsu id=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ovs-vsctl" exe="/usr/bin/ovs-vsctl" subj=system_u:system_r:openvswitch_t:s0 key=(null) type=AVC msg=audit(1402493894.533:702): avc: denied { write } for pid=31728 comm="ovs-vsctl" path="/tmp/puppet20140611-31236-wmpi6i" dev="dm-1" ino=101120987 scontext=system_u:system_r:openvswitch_t:s0 tconte xt=system_u:object_r:init_tmp_t:s0 tclass=file type=AVC msg=audit(1402493894.533:702): avc: denied { write } for pid=31728 comm="ovs-vsctl" path="/tmp/puppet20140611-31236-wmpi6i" dev="dm-1" ino=101120987 scontext=system_u:system_r:openvswitch_t:s0 tconte xt=system_u:object_r:init_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1402493894.533:702): arch=c000003e syscall=59 success=yes exit=0 a0=2d71530 a1=4ef4808 a2=3d46890 a3=7fff04695c30 items=0 ppid=31236 pid=31728 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsu id=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ovs-vsctl" exe="/usr/bin/ovs-vsctl" subj=system_u:system_r:openvswitch_t:s0 key=(null) type=AVC msg=audit(1402493894.575:703): avc: denied { write } for pid=31731 comm="ovs-vsctl" path="/tmp/puppet20140611-31236-1tceaj" dev="dm-1" ino=101120987 scontext=system_u:system_r:openvswitch_t:s0 tconte xt=system_u:object_r:init_tmp_t:s0 tclass=file type=AVC msg=audit(1402493894.575:703): avc: denied { write } for pid=31731 comm="ovs-vsctl" path="/tmp/puppet20140611-31236-1tceaj" dev="dm-1" ino=101120987 scontext=system_u:system_r:openvswitch_t:s0 tconte xt=system_u:object_r:init_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1402493894.575:703): arch=c000003e syscall=59 success=yes exit=0 a0=2e04858 a1=3c7ef28 a2=3d46890 a3=7fff046965a0 items=0 ppid=31236 pid=31731 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsu id=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ovs-vsctl" exe="/usr/bin/ovs-vsctl" subj=system_u:system_r:openvswitch_t:s0 key=(null) type=AVC msg=audit(1402493894.617:704): avc: denied { write } for pid=31734 comm="ovs-vsctl" path="/tmp/puppet20140611-31236-axul89" dev="dm-1" ino=101120987 scontext=system_u:system_r:openvswitch_t:s0 tconte xt=system_u:object_r:init_tmp_t:s0 tclass=file type=AVC msg=audit(1402493894.617:704): avc: denied { write } for pid=31734 comm="ovs-vsctl" path="/tmp/puppet20140611-31236-axul89" dev="dm-1" ino=101120987 scontext=system_u:system_r:openvswitch_t:s0 tconte xt=system_u:object_r:init_tmp_t:s0 tclass=file