Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1154939

Summary: SELinux: neutron-ns-meta denied connectto on unix_stream_socket
Product: Red Hat OpenStack Reporter: Richard Su <rwsu>
Component: openstack-selinuxAssignee: Ryan Hallisey <rhallise>
Status: CLOSED WORKSFORME QA Contact: Ami Jeain <ajeain>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.0 (RHEL 7)CC: itamar, lhh, lvrabec, mgrepl, p, rhallise, scohen, yeylon
Target Milestone: z4Keywords: ZStream
Target Release: 5.0 (RHEL 7)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-12 23:03:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
audit.log none

Description Richard Su 2014-10-21 05:07:30 UTC 
Created attachment 948794 [details]
audit.log

Description of problem:
This is a problem that was seen and fixed in Fedora 20 (BZ 1110040) and is now spotted in RHEL7. Originally posted bug as BZ 1147104 but now posting against openstack-selinux because we need the fix sooner.

Version-Release number of selected component (if applicable):
openstack-selinux-0.5.15-1.el7ost.noarch
selinux-policy-3.12.1-153.el7_0.10.noarch
selinux-policy-targeted-3.12.1-153.el7_0.10.noarch

How reproducible:
always

Steps to Reproduce:
1. Using instack-undercloud, deploy overcloud using source and run instack-test-overcloud.

Actual results:
neutron-ns-meta denied connectto on unix_stream_socket

Expected results:
no denial

Additional info:
audit.log.1:type=AVC msg=audit(1411756457.879:6476): avc:  denied  { connectto } for  pid=11611 comm="neutron-ns-meta" path="/run/neutron/metadata_proxy" scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket 

[root@overcloud-controller0-hkj4j63jzxat ~]# ps -efZ | grep neutron-ns
system_u:system_r:neutron_t:s0  root     11611     1  0 14:31 ?        00:00:00 /opt/stack/venvs/openstack/bin/python /bin/neutron-ns-metadata-proxy --pid_file=/var/run/neutron/external/pids/52e157df-9ccb-4690-9994-dc1b1c3926be/pid --metadata_proxy_socket=/var/run/neutron/metadata_proxy --router_id=52e157df-9ccb-4690-9994-dc1b1c3926be --state_path=/var/run/neutron --metadata_port=9697
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 19634 19265  0 18:37 pts/0 00:00:00 grep --color=auto neutron-ns
Comment 1 Miroslav Grepl 2014-10-21 08:29:48 UTC 
The problem is with 

/bin/neutron-ns-metadata-proxy 

labeling.
Comment 4 Ryan Hallisey 2014-11-18 16:19:01 UTC 
# restorecon -R -v /run/neutron/

label should be neutron_var_run_t.
Comment 5 Miroslav Grepl 2014-11-24 10:54:25 UTC 
Also what does

# ps -eZ |grep init_t
Comment 6 Richard Su 2014-12-12 23:03:26 UTC 
The issue doesn't appear on openstack-selinux-0.6.4-1.el7ost.noarch.

Closing this bug.