1195214 – SELinux enabled causes Neutron network interfaces to fail to start

Bug 1195214 - SELinux enabled causes Neutron network interfaces to fail to start

Summary: SELinux enabled causes Neutron network interfaces to fail to start

Keywords:
Status:	CLOSED INSUFFICIENT_DATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	7.0 (Kilo)
Assignee:	Ryan Hallisey
QA Contact:	yeylon@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1175340
TreeView+	depends on / blocked

Reported:	2015-02-23 11:54 UTC by Richard W.M. Jones
Modified:	2016-04-18 06:49 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-24 10:37:11 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Richard W.M. Jones 2015-02-23 11:54:52 UTC

Description of problem:

If you run packstack with SELinux enabled, then Neutron
fails to initialize correctly.  You only see the loopback
interface:

    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
           valid_lft forever preferred_lft forever
        inet6 ::1/128 scope host 
           valid_lft forever preferred_lft forever

When I started a fresh packstack run with SELinux set to
permissive, I see the full set of interfaces.

audit2allow recommends:

    #============= neutron_t ==============
    allow neutron_t unlabeled_t:file { read open };

(I'm afraid I no longer have the original audit logs so I
don't know exactly what file is unlabelled).

Version-Release number of selected component (if applicable):

openstack-packstack-2014.2-0.15.dev1401.gdd19d48.aa7a.noarch
openstack-selinux-0.6.17-1.aa7a.noarch

How reproducible:

Several times.

Steps to Reproduce:
1. Run packstack, multinode with default (Neutron) network configuration.

Additional info:

Longer explanation by Lars K-S here:
http://post-office.corp.redhat.com/archives/rh-openstack-dev/2015-February/msg00457.html

Comment 4 Miroslav Grepl 2015-11-19 09:10:24 UTC

(In reply to Richard W.M. Jones from comment #0)
> Description of problem:
> 
> If you run packstack with SELinux enabled, then Neutron
> fails to initialize correctly.  You only see the loopback
> interface:
> 
>     1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
>         link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>         inet 127.0.0.1/8 scope host lo
>            valid_lft forever preferred_lft forever
>         inet6 ::1/128 scope host 
>            valid_lft forever preferred_lft forever
> 
> When I started a fresh packstack run with SELinux set to
> permissive, I see the full set of interfaces.
> 
> audit2allow recommends:
> 
>     #============= neutron_t ==============
>     allow neutron_t unlabeled_t:file { read open };

We would need to see raw AVCs to check if it is a kernel issue or a bad labeling.

> 
> (I'm afraid I no longer have the original audit logs so I
> don't know exactly what file is unlabelled).
> 
> Version-Release number of selected component (if applicable):
> 
> openstack-packstack-2014.2-0.15.dev1401.gdd19d48.aa7a.noarch
> openstack-selinux-0.6.17-1.aa7a.noarch
> 
> How reproducible:
> 
> Several times.
> 
> Steps to Reproduce:
> 1. Run packstack, multinode with default (Neutron) network configuration.
> 
> Additional info:
> 
> Longer explanation by Lars K-S here:
> http://post-office.corp.redhat.com/archives/rh-openstack-dev/2015-February/
> msg00457.html

Note You need to log in before you can comment on or make changes to this bug.