Description of problem: Selinux block metadata proxy from binding to socket in dhcp namespace. If selinux is set to permissive, it works fine. Version-Release number of selected component (if applicable): How reproducible: everytime Steps to Reproduce: 1. Install OSP5 via packstack 2. Set enable_isolated_metadata = True in /etc/neutron/dhcp_agent.ini 3. Create a neutron subnet with --no-gateway flag 4. Spin up a VM in this network. Actual results: When metadata proxy runs is started in the DHCP namespace, it does immediately with the following error: 2014-09-18 16:34:43.462 6966 INFO neutron.common.config [-] Logging enabled! 2014-09-18 16:34:43.471 6994 CRITICAL neutron [-] [Errno 13] Permission denied 2014-09-18 16:34:43.471 6994 TRACE neutron Traceback (most recent call last): 2014-09-18 16:34:43.471 6994 TRACE neutron File "/bin/neutron-ns-metadata-proxy", line 10, in <module> 2014-09-18 16:34:43.471 6994 TRACE neutron sys.exit(main()) 2014-09-18 16:34:43.471 6994 TRACE neutron File "/usr/lib/python2.7/site-packages/neutron/agent/metadata/namespace_proxy.py", line 181, in main 2014-09-18 16:34:43.471 6994 TRACE neutron proxy.start() 2014-09-18 16:34:43.471 6994 TRACE neutron File "/usr/lib/python2.7/site-packages/neutron/agent/linux/daemon.py", line 145, in start 2014-09-18 16:34:43.471 6994 TRACE neutron self.run() 2014-09-18 16:34:43.471 6994 TRACE neutron File "/usr/lib/python2.7/site-packages/neutron/agent/metadata/namespace_proxy.py", line 142, in run 2014-09-18 16:34:43.471 6994 TRACE neutron proxy.start(handler, self.port) 2014-09-18 16:34:43.471 6994 TRACE neutron File "/usr/lib/python2.7/site-packages/neutron/wsgi.py", line 210, in start 2014-09-18 16:34:43.471 6994 TRACE neutron backlog=backlog) 2014-09-18 16:34:43.471 6994 TRACE neutron File "/usr/lib/python2.7/site-packages/neutron/wsgi.py", line 183, in _get_socket 2014-09-18 16:34:43.471 6994 TRACE neutron eventlet.sleep(0.1) 2014-09-18 16:34:43.471 6994 TRACE neutron File "/usr/lib/python2.7/site-packages/neutron/openstack/common/excutils.py", line 82, in __exit__ 2014-09-18 16:34:43.471 6994 TRACE neutron six.reraise(self.type_, self.value, self.tb) 2014-09-18 16:34:43.471 6994 TRACE neutron File "/usr/lib/python2.7/site-packages/neutron/wsgi.py", line 175, in _get_socket 2014-09-18 16:34:43.471 6994 TRACE neutron family=family) 2014-09-18 16:34:43.471 6994 TRACE neutron File "/usr/lib/python2.7/site-packages/eventlet/convenience.py", line 38, in listen 2014-09-18 16:34:43.471 6994 TRACE neutron sock.bind(addr) 2014-09-18 16:34:43.471 6994 TRACE neutron File "/usr/lib64/python2.7/socket.py", line 224, in meth 2014-09-18 16:34:43.471 6994 TRACE neutron return getattr(self._sock,name)(*args) 2014-09-18 16:34:43.471 6994 TRACE neutron error: [Errno 13] Permission denied Expected results: 2014-09-18 16:38:55.308 8481 INFO neutron.common.config [-] Logging enabled! 2014-09-18 16:38:55.317 8511 INFO neutron.wsgi [-] (8511) wsgi starting up on http://0.0.0.0/ Additional info:
Created attachment 939070 [details] Audit Log
There are no AVCs in the audit log. try # semanage dontaudit off, and generate a new audit.log.
Created attachment 939360 [details] Audit Log with semanage dontaudit off
allow neutron_t http_port_t:tcp_socket name_bind; looks to be the issue.
corenet_tcp_bind_http_port(neutron_t)
This has been fixed in 6.0 just need the acks to build for 5.0.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2014-1935.html