Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1153656

Summary: there are many (new) denials after running tempest
Product: Red Hat OpenStack Reporter: Jaroslav Henner <jhenner>
Component: openstack-selinuxAssignee: Ryan Hallisey <rhallise>
Status: CLOSED ERRATA QA Contact: Jaroslav Henner <jhenner>
Severity: medium Docs Contact:
Priority: high    
Version: 5.0 (RHEL 7)CC: lhh, mgrepl, mlopes, rhallise, scohen, yeylon
Target Milestone: z2Keywords: ZStream
Target Release: 5.0 (RHEL 7)   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: openstack-selinux-0.5.19-1.el7ost Doc Type: Bug Fix
Doc Text:
Prior to this update, the OpenStack Networking (neutron) service was generating AVC alerts. This update addresses this issue by allowing OpenStack Networking to kill processes labeled as dnsmasq_t. Consequently, OpenStack Networking runs with no AVC alerts.
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-03 05:54:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
audit logs none

Description Jaroslav Henner 2014-10-16 13:06:34 UTC
Description of problem:
The number of selinux denials increased recently from about 20 to more than 1000.


Version-Release number of selected component (if applicable):


How reproducible:
100% after Sep 26, 2014 12:25:00 AM runs

Steps to Reproduce:
1. run tempest on packstack-deployed openstack
2.
3.

Actual results:
>100 denials

Expected results:
~0 denials

Additional info:

Comment 1 Jaroslav Henner 2014-10-16 13:06:56 UTC
Created attachment 947591 [details]
audit logs

Comment 3 Lon Hohberger 2014-10-16 13:51:53 UTC
type=AVC msg=audit(1413422314.326:70130): avc:  denied  { sigkill } for  pid=11884 comm="kill" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0 tclass=process

^ same AVC repeated over and over.  It's a new one.

Comment 4 Lon Hohberger 2014-10-16 13:52:22 UTC
This is caused by a change in neutron.  So, it's not a regression.

Comment 5 Lon Hohberger 2014-10-16 13:57:12 UTC
Ryan pointed out that this doesn't affect rhel 6.6.

Comment 6 Ryan Hallisey 2014-10-16 14:27:46 UTC
allow neutron_t dnsmasq_t:process sigkill;

Its been added in selinx-policy for F20 but hasn't got into rhel7 yet.
Adding to openstack-selinux.

Comment 7 Miroslav Grepl 2014-10-16 14:48:09 UTC
So it's about 


#============= haproxy_t ==============

#!!!! This avc is allowed in the current policy
allow haproxy_t proc_t:file read;

#============= neutron_t ==============
allow neutron_t dnsmasq_t:process sigkill;


commit cdd75e9842a7705eb6f27a9b9b8e88875bf1d3a5
Author: Miroslav Grepl <mgrepl>
Date:   Thu Oct 16 16:45:55 2014 +0200

    Allow neutron_t to send sigkill to dnsmasq.

Comment 10 Jaroslav Henner 2014-10-24 11:25:35 UTC
23_denials in puddle 2014-10-21.1. It is back to the previous state.

Comment 12 errata-xmlrpc 2014-11-03 05:54:37 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2014-1780.html