1150900 – selinux prevents openstack-neutron openvswitch agent to access dbus-daemon

Bug 1150900 - selinux prevents openstack-neutron openvswitch agent to access dbus-daemon

Summary: selinux prevents openstack-neutron openvswitch agent to access dbus-daemon

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-10-09 07:10 UTC by Matthias Runge
Modified:	2014-11-07 11:26 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.13.1-86.fc22
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-10-13 12:14:47 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Matthias Runge 2014-10-09 07:10:06 UTC

Description of problem:



type=USER_AVC msg=audit(1412838148.137:4935): pid=964 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=11816 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1412838150.149:4941): pid=964 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=11836 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'


and in 

/var/log/neutron/openvswitch-agent.log:
2014-10-09 09:02:32.130 3149 CRITICAL neutron [req-6e4b5b7c-7aa2-4be8-b792-4f8b1244de95 None] AssertionError: Trying to re-send() an already-triggered event.
2014-10-09 09:02:32.130 3149 TRACE neutron Traceback (most recent call last):
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/bin/neutron-openvswitch-agent", line 10, in <module>
2014-10-09 09:02:32.130 3149 TRACE neutron     sys.exit(main())
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py", line 1632, in main
2014-10-09 09:02:32.130 3149 TRACE neutron     agent.daemon_loop()
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py", line 1559, in daemon_loop
2014-10-09 09:02:32.130 3149 TRACE neutron     self.rpc_loop(polling_manager=pm)
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib64/python2.7/contextlib.py", line 24, in __exit__
2014-10-09 09:02:32.130 3149 TRACE neutron     self.gen.next()
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/agent/linux/polling.py", line 39, in get_polling_manager
2014-10-09 09:02:32.130 3149 TRACE neutron     pm.stop()
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/agent/linux/polling.py", line 106, in stop
2014-10-09 09:02:32.130 3149 TRACE neutron     self._monitor.stop()
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/agent/linux/async_process.py", line 89, in stop
2014-10-09 09:02:32.130 3149 TRACE neutron     self._kill()
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/agent/linux/ovsdb_monitor.py", line 99, in _kill
2014-10-09 09:02:32.130 3149 TRACE neutron     super(SimpleInterfaceMonitor, self)._kill(*args, **kwargs)
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/agent/linux/async_process.py", line 116, in _kill
2014-10-09 09:02:32.130 3149 TRACE neutron     self._kill_event.send()
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib/python2.7/site-packages/eventlet/event.py", line 155, in send
2014-10-09 09:02:32.130 3149 TRACE neutron     assert self._result is NOT_USED, 'Trying to re-send() an already-triggered event.'
2014-10-09 09:02:32.130 3149 TRACE neutron AssertionError: Trying to re-send() an already-triggered event.


Turning selinux to permissive fixes this issue.
selinux-policy-3.12.1-188.fc20.noarch
2014-10-09 09:02:32.130 3149 CRITICAL neutron [req-6e4b5b7c-7aa2-4be8-b792-4f8b1244de95 None] AssertionError: Trying to re-send() an already-triggered event.
2014-10-09 09:02:32.130 3149 TRACE neutron Traceback (most recent call last):
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/bin/neutron-openvswitch-agent", line 10, in <module>
2014-10-09 09:02:32.130 3149 TRACE neutron     sys.exit(main())
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py", line 1632, in main
2014-10-09 09:02:32.130 3149 TRACE neutron     agent.daemon_loop()
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py", line 1559, in daemon_loop
2014-10-09 09:02:32.130 3149 TRACE neutron     self.rpc_loop(polling_manager=pm)
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib64/python2.7/contextlib.py", line 24, in __exit__
2014-10-09 09:02:32.130 3149 TRACE neutron     self.gen.next()
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/agent/linux/polling.py", line 39, in get_polling_manager
2014-10-09 09:02:32.130 3149 TRACE neutron     pm.stop()
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/agent/linux/polling.py", line 106, in stop
2014-10-09 09:02:32.130 3149 TRACE neutron     self._monitor.stop()
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/agent/linux/async_process.py", line 89, in stop
2014-10-09 09:02:32.130 3149 TRACE neutron     self._kill()
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/agent/linux/ovsdb_monitor.py", line 99, in _kill
2014-10-09 09:02:32.130 3149 TRACE neutron     super(SimpleInterfaceMonitor, self)._kill(*args, **kwargs)
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/agent/linux/async_process.py", line 116, in _kill
2014-10-09 09:02:32.130 3149 TRACE neutron     self._kill_event.send()
2014-10-09 09:02:32.130 3149 TRACE neutron   File "/usr/lib/python2.7/site-packages/eventlet/event.py", line 155, in send
2014-10-09 09:02:32.130 3149 TRACE neutron     assert self._result is NOT_USED, 'Trying to re-send() an already-triggered event.'
2014-10-09 09:02:32.130 3149 TRACE neutron AssertionError: Trying to re-send() an already-triggered event.


turning selinux to permissive, fixes this issue
selinux-policy-3.12.1-188.fc20.noarch
openvswitch-2.3.0-1.fc20.x86_64
openstack-neutron-2014.2-0.7.b3.fc22.noarch

Comment 1 Miroslav Grepl 2014-10-13 12:14:47 UTC

commit d96ba4a9d02ecba2c3b1b7233be3d39fcdfd3335
Author: Miroslav Grepl <mgrepl>
Date:   Mon Oct 13 14:14:12 2014 +0200

    Allow neutron connections to system dbus.

Comment 2 Matthias Runge 2014-10-14 08:46:06 UTC

Could you please backport this to f20 as well? F20+ is our testbed for RDO packages (consuming packages from rawhide)

Comment 3 Lukas Vrabec 2014-11-07 11:26:58 UTC

commit d96ba4a9d02ecba2c3b1b7233be3d39fcdfd3335
Author: Miroslav Grepl <mgrepl>
Date:   Mon Oct 13 14:14:12 2014 +0200

    Allow neutron connections to system dbus.

This is already fixed in F20.

Note You need to log in before you can comment on or make changes to this bug.