Bug 1195214 - SELinux enabled causes Neutron network interfaces to fail to start
Summary: SELinux enabled causes Neutron network interfaces to fail to start
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 7.0 (Kilo)
Assignee: Ryan Hallisey
QA Contact: yeylon@redhat.com
URL:
Whiteboard:
Depends On:
Blocks: 1175340
TreeView+ depends on / blocked
 
Reported: 2015-02-23 11:54 UTC by Richard W.M. Jones
Modified: 2016-04-18 06:49 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-11-24 10:37:11 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Richard W.M. Jones 2015-02-23 11:54:52 UTC
Description of problem:

If you run packstack with SELinux enabled, then Neutron
fails to initialize correctly.  You only see the loopback
interface:

    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
           valid_lft forever preferred_lft forever
        inet6 ::1/128 scope host 
           valid_lft forever preferred_lft forever

When I started a fresh packstack run with SELinux set to
permissive, I see the full set of interfaces.

audit2allow recommends:

    #============= neutron_t ==============
    allow neutron_t unlabeled_t:file { read open };

(I'm afraid I no longer have the original audit logs so I
don't know exactly what file is unlabelled).

Version-Release number of selected component (if applicable):

openstack-packstack-2014.2-0.15.dev1401.gdd19d48.aa7a.noarch
openstack-selinux-0.6.17-1.aa7a.noarch

How reproducible:

Several times.

Steps to Reproduce:
1. Run packstack, multinode with default (Neutron) network configuration.

Additional info:

Longer explanation by Lars K-S here:
http://post-office.corp.redhat.com/archives/rh-openstack-dev/2015-February/msg00457.html

Comment 4 Miroslav Grepl 2015-11-19 09:10:24 UTC
(In reply to Richard W.M. Jones from comment #0)
> Description of problem:
> 
> If you run packstack with SELinux enabled, then Neutron
> fails to initialize correctly.  You only see the loopback
> interface:
> 
>     1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
>         link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>         inet 127.0.0.1/8 scope host lo
>            valid_lft forever preferred_lft forever
>         inet6 ::1/128 scope host 
>            valid_lft forever preferred_lft forever
> 
> When I started a fresh packstack run with SELinux set to
> permissive, I see the full set of interfaces.
> 
> audit2allow recommends:
> 
>     #============= neutron_t ==============
>     allow neutron_t unlabeled_t:file { read open };

We would need to see raw AVCs to check if it is a kernel issue or a bad labeling.

> 
> (I'm afraid I no longer have the original audit logs so I
> don't know exactly what file is unlabelled).
> 
> Version-Release number of selected component (if applicable):
> 
> openstack-packstack-2014.2-0.15.dev1401.gdd19d48.aa7a.noarch
> openstack-selinux-0.6.17-1.aa7a.noarch
> 
> How reproducible:
> 
> Several times.
> 
> Steps to Reproduce:
> 1. Run packstack, multinode with default (Neutron) network configuration.
> 
> Additional info:
> 
> Longer explanation by Lars K-S here:
> http://post-office.corp.redhat.com/archives/rh-openstack-dev/2015-February/
> msg00457.html


Note You need to log in before you can comment on or make changes to this bug.