Created attachment 961908 [details] l3-agent.log Description of problem: ======================= While testing IPv6, I noticed radvd is not spawned. This looks like a permissions issue related to rootwrap. Version-Release number of selected component (if applicable): ============================================================= openstack-neutron-2014.2-11.el7ost.noarch python-neutron-2014.2-11.el7ost.noarch How reproducible: ================= 2/2 Steps to Reproduce: =================== 1. Create Neutron router: # neutron router-create router1 2. Create network: # neutron net-create tenant_a_radvd_stateless --shared --provider:physical_network=ipv6_vlan_range --provider:network_type=vlan --provider:segmentation_id=65 3. Create IPv6 Subnet (must not be provider): # neutron subnet-create <network_id> 2001:66:66:66::1/64 --name tenant_a_provider_stateless_subnet --ipv6-address-mode dhcpv6-stateless --gateway fe80::6664:9bff:fe17:b401 --dns-nameserver 2001:4860:4860::8888 --ip-version 6 4. Attach The subnet to the router you have created: # neutron router-interface-add <router_id> <subnet_id> Actual results: =============== Unauthorized command: ip netns exec qrouter-e21ca082-ce79-47f2-9a0b-0b6261ee96db radvd -C /var/lib/neutron/ra/e21ca082-ce79-47f2-9a0b-0b6261ee96db.radvd.conf -p /var/lib/neutron/external/pids/e21ca082-ce79-47f2-9a0b-0b6261ee96db.pid.radvd (no filter matched)\n' Expected results: ================= neutron should be able to spawn radvd with no issues. Additional info: ================ 1. Tested with RHEL7 2. I executed this manually with root and it worked fine: # sudo neutron-rootwrap /etc/neutron/rootwrap.conf ip netns exec qrouter-e21ca082-ce79-47f2-9a0b-0b6261ee96db radvd -C /var/lib/neutron/ra/e21ca082-ce79-47f2-9a0b-0b6261ee96db.radvd.conf -p /var/lib/neutron/external/pids/e21ca082-ce79-47f2-9a0b-0b6261ee96db.pid.radvd
Created attachment 961909 [details] /usr/share/neutron/rootwrap
It's a SELinux issue: type=AVC msg=audit(1417089038.047:151800): avc: denied { execute } for pid=9179 comm="neutron-rootwra" name="radvd" dev="sda5" ino=22025167 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:radvd_exec_t:s0 tclass=file type=SYSCALL msg=audit(1417089038.047:151800): arch=c000003e syscall=21 success=no exit=-13 a0=1a8a0e0 a1=1 a2=7f38a7db1f88 a3=7fff293c1620 items=0 ppid=9177 pid=9179 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="neutron-rootwra" exe="/usr/bin/python2.7" subj=system_u:system_r:neutron_t:s0 key=(null) type=AVC msg=audit(1417089038.047:151801): avc: denied { execute } for pid=9179 comm="neutron-rootwra" name="radvd" dev="sda5" ino=22025167 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:radvd_exec_t:s0 tclass=file type=SYSCALL msg=audit(1417089038.047:151801): arch=c000003e syscall=21 success=no exit=-13 a0=1a8a0e0 a1=1 a2=7f38a7db1f88 a3=0 items=0 ppid=9177 pid=9179 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="neutron-rootwra" exe="/usr/bin/python2.7" subj=system_u:system_r:neutron_t:s0 key=(null) I suspect that the same issue may be present for other binaries introduced in Juno: keepalived for DVR and conntrack for Floating IPs disassociated.
Additional Information: Source Context system_u:system_r:neutron_t:s0 Target Context system_u:object_r:radvd_exec_t:s0 Target Objects [ file ] Source neutron-rootwra Source Path /usr/bin/python2.7 Port <Unknown> Host <Unknown> Source RPM Packages python-2.7.5-16.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-153.el7_0.11.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name <FQDN> Platform Linux <FQDN> 3.10.0-123.9.3.el7.x86_64 #1 SMP Thu Oct 30 00:16:40 EDT 2014 x86_64 x86_64 Alert Count 1 First Seen 2014-11-27 13:50:38 IST Last Seen 2014-11-27 13:50:38 IST Local ID 189ab333-7e9c-4dff-97fd-f37dc0c38056 Raw Audit Messages type=AVC msg=audit(1417089038.47:151800): avc: denied { execute } for pid=9179 comm="neutron-rootwra" name="radvd" dev="sda5" ino=22025167 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:radvd_exec_t:s0 tclass=file type=SYSCALL msg=audit(1417089038.47:151800): arch=x86_64 syscall=access success=no exit=EACCES a0=1a8a0e0 a1=1 a2=7f38a7db1f88 a3=7fff293c1620 items=0 ppid=9177 pid=9179 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=neutron-rootwra exe=/usr/bin/python2.7 subj=system_u:system_r:neutron_t:s0 key=(null) Hash: neutron-rootwra,neutron_t,radvd_exec_t,file,execute
# cat /var/log/audit/audit.log | audit2allow -R require { type radvd_exec_t; type neutron_t; class file execute; } #============= neutron_t ============== allow neutron_t radvd_exec_t:file execute;
allow neutron_t radvd_exec_t:file execute; What do you think Miroslav?
This is just access check. Does it do access checks on binaries?
Already built for 6.0 needs acks to build in 5.0.
Created attachment 973995 [details] Logs Reopening. Reproduced with NVR: openstack-selinux-0.6.6-1.el7ost Result: ======= Same as before: TRACE neutron.agent.l3_agent Stderr: 'exec of "radvd" failed: Permission denied\n' Additional Info: ================ [root@puma07 audit]# cat /var/log/audit/audit.log | audit2allow -R require { type radvd_exec_t; type neutron_t; class file { read open execute_no_trans }; } #============= neutron_t ============== allow neutron_t radvd_exec_t:file { read open execute_no_trans }; [root@puma07 audit]# cat /var/log/audit/audit.log.1 | audit2allow -R require { type radvd_exec_t; type neutron_t; class file { read open }; } #============= neutron_t ============== allow neutron_t radvd_exec_t:file { read open };
Can you retest in permissive? When you test in enforcing it will only gather the first AVC that breaks the test. It is possible that these two additional rules will fix the issue, but just to be sure attach your results after running in permissive in case there are more AVCs.
(In reply to Ryan Hallisey from comment #13) > Can you retest in permissive? When you test in enforcing it will only > gather the first AVC that breaks the test. It is possible that these two > additional rules will fix the issue, but just to be sure attach your results > after running in permissive in case there are more AVCs. Done. [root@puma07 ~]# getenforce Permissive [root@puma07 ~]# sealert -a /var/log/audit/audit.log 99% done'list' object has no attribute 'split' string index out of range 100% done found 1 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/radvd from 'read, open' accesses on the file . ***** Plugin catchall (100. confidence) suggests ************************** If you believe that radvd should be allowed read open access on the file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep radvd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:neutron_t:s0 Target Context system_u:object_r:radvd_exec_t:s0 Target Objects [ file ] Source radvd Source Path /usr/sbin/radvd Port <Unknown> Host <Unknown> Source RPM Packages radvd-1.9.2-7.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-153.el7_0.13.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name puma07 Platform Linux puma07 3.10.0-123.13.2.el7.x86_64 #1 SMP Fri Dec 12 19:51:03 EST 2014 x86_64 x86_64 Alert Count 1 First Seen 2014-12-30 09:54:00 IST Last Seen 2014-12-30 09:54:00 IST Local ID 05547aa0-04c1-4e0b-ad17-677c6faa1199 Raw Audit Messages type=AVC msg=audit(1419926040.12:174465): avc: denied { read open } for pid=16738 comm="ip" path="/usr/sbin/radvd" dev="sda5" ino=26219408 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:radvd_exec_t:s0 tclass=file type=AVC msg=audit(1419926040.12:174465): avc: denied { execute_no_trans } for pid=16738 comm="ip" path="/usr/sbin/radvd" dev="sda5" ino=26219408 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:radvd_exec_t:s0 tclass=file type=SYSCALL msg=audit(1419926040.12:174465): arch=x86_64 syscall=execve success=yes exit=0 a0=7fff2fe897b8 a1=7fff2fe8da38 a2=7fff2fe8da68 a3=7fff2fe89630 items=0 ppid=16736 pid=16738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=radvd exe=/usr/sbin/radvd subj=system_u:system_r:neutron_t:s0 key=(null) Hash: radvd,neutron_t,radvd_exec_t,file,read,open [root@puma07 ~]# cat /var/log/audit/audit.log | audit2allow -R require { type radvd_exec_t; type neutron_t; class file { read open execute_no_trans }; } #============= neutron_t ============== allow neutron_t radvd_exec_t:file { read open execute_no_trans };
*** Bug 1177797 has been marked as a duplicate of this bug. ***
Verified NVR: openstack-selinux-0.6.11-1.el7ost.noarch Steps: ====== Repeated the steps mentioned in comment #0 1. Network: # neutron net-create radvd_stateless 2. Subnet: # neutron subnet-create <net_id> 2001:66:66:66::1/64 --name tenant_a_provider_stateless_subnet --ipv6-address-mode dhcpv6-stateless --dns-nameserver 2001:4860:4860::8888 --ip-version 6 3. Router interface attachment: # neutron router-interface-add <router_id> <subnet_id> Result: ======= 1. radvd spawned: # ps -ef | grep radvd root 27877 1 0 14:29 ? 00:00:00 radvd -C /var/lib/neutron/ra/d3386c80-c14e-4a4c-b906-ce7704a16a0b.radvd.conf -p /var/lib/neutron/external/pids/d3386c80-c14e-4a4c-b906-ce7704a16a0b.pid.radvd root 27879 1 0 14:29 ? 00:00:00 radvd -C /var/lib/neutron/ra/d3386c80-c14e-4a4c-b906-ce7704a16a0b.radvd.conf -p /var/lib/neutron/external/pids/d3386c80-c14e-4a4c-b906-ce7704a16a0b.pid.radvd 2. No SELinux related messages in audit.log
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2015-0144.html