Created attachment 909283 [details] audit.log Description of problem: instack-overcloud-test is unable to ssh to user vm on overcloud because neutron cannot finish network setup. COMMAND=ssh -o BatchMode=yes -o StrictHostKeyChecking=no fedora.2.46 ls OUTPUT=Permission denied (publickey,gssapi-keyex,gssapi-with-mic). Version-Release number of selected component (if applicable): openstack-neutron-2014.1-18.fc21.noarch openstack-neutron-ml2-2014.1-18.fc21.noarch openstack-neutron-openvswitch-2014.1-18.fc21.noarch python-neutron-2014.1-18.fc21.noarch python-neutronclient-2.3.4-1.fc21.noarch selinux-policy-3.12.1-167.fc20.noarch selinux-policy-targeted-3.12.1-167.fc20.noarch How reproducible: always Steps to Reproduce: 1. Deploy overcloud and run overcloud tests using instack-undercloud Actual results: instack-test-overcloud fails with ssh error listed above Expected results: instack-test-overcloud should complete successfully Additional info: ype=AVC msg=audit(1402951950.271:716): avc: denied { connectto } for pid=5676 comm="neutron-ns-meta" path="/run/neutron/metadata_proxy" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1402951950.271:716): arch=c000003e syscall=42 success=no exit=-13 a0=8 a1=7fff2ec7f4c0 a2=21 a3=0 items=0 ppid=1 pid=5676 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="neutron-ns-meta" exe="/usr/bin/python2.7" subj=system_u:system_r:neutron_t:s0 key=(null)
What does # ps -efZ |grep init We will need to add labeling for "neutron-ns-metadata".
Created attachment 909676 [details] ps -efZ | grep init
Please re-test it with http://koji.fedoraproject.org/koji/buildinfo?buildID=539741
Miroslav, The problem is still present in selinux-policy-targeted-3.12.1-172.fc20.noarch. I also see a new name_connect problem. audit.log:type=AVC msg=audit(1403761491.221:887): avc: denied { name_connect } for pid=5015 comm="neutron-server" dest=5000 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:commplex_main_port_t:s0 tclass=tcp_socket audit.log:type=AVC msg=audit(1403761613.557:1080): avc: denied { connectto } for pid=6011 comm="neutron-ns-meta" path="/run/neutron/metadata_proxy" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket I also noticed that new swift packages have landed. Could they have introduced the new issue? openstack-neutron-2014.1.1-3.fc21.noarch openstack-neutron-ml2-2014.1.1-3.fc21.noarch openstack-neutron-openvswitch-2014.1.1-3.fc21.noarch They are dated Build Date : Tue 24 Jun 2014 11:22:12 AM UTC
Ok, we need to re-check audit.log:type=AVC msg=audit(1403761613.557:1080): avc: denied { connectto } for pid=6011 comm="neutron-ns-meta" path="/run/neutron/metadata_proxy" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket What does # ps -eZ |grep neutron
This has been fixed with selinux-policy-targeted-3.12.1-173.fc20.noarch. Thank you! I see new denials though with neutron. I will post new bugs for them.
Richard, Where you post these bugs? Thank you.
The other bugs have been closed Bug 1113806 Bug 1113803 This bug can also be closed. Thanks.