1233154 – selinux denies ovs-vctl set-manager when using native ovsdb with neutron

Bug 1233154 - selinux denies ovs-vctl set-manager when using native ovsdb with neutron

Summary: selinux denies ovs-vctl set-manager when using native ovsdb with neutron

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux
Sub Component:
Version:	7.0 (Kilo)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	ga
Target Release:	7.0 (Kilo)
Assignee:	Ryan Hallisey
QA Contact:	Toni Freger
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-06-18 10:53 UTC by Arie Bregman
Modified:	2023-02-22 23:02 UTC (History)
CC List:	8 users (show)
Fixed In Version:	openstack-selinux-0.6.35-1.el7ost
Doc Type:	Bug Fix
Doc Text:	Prior to this update, Neutron was trying to bind to port that it was not allowed to use. Consequently, SELinux prevented Neutron from working. Now, Neutron is allowed to connect to unreserved ports and runs without issues.
Clone Of:
Environment:
Last Closed:	2015-08-05 13:27:35 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
audit log - ovsdb (6.76 KB, text/plain) 2015-06-18 10:53 UTC, Arie Bregman	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2015:1548	0	normal	SHIPPED_LIVE	Red Hat Enterprise Linux OpenStack Platform Enhancement Advisory	2015-08-05 17:07:06 UTC

Description Arie Bregman 2015-06-18 10:53:19 UTC

Created attachment 1040411 [details]
audit log - ovsdb

Description of problem:
When using the new native ovsdb implementation in neutron, user might get the following error: "ovsdb-server: ovs|04239|socket_util|ERR|6640:127.0.0.1: bind: Permission denied"

Disabling selinux or setting it to permissive, make this error disappear.

Steps to Reproduce:
1. Install openstack-neutron and run it (make sure ovsdb-server running)
2. run the following command: sudo ovs-vsctl set-manager ptcp:6640:127.0.0.1

Actual results:
ovsdb-server: ovs|04239|socket_util|ERR|6640:127.0.0.1: bind: Permission denied

Expected results:
ovs-vsctl: ovs|00001|vsctl|INFO|Called as ovs-vsctl set-manager ptcp:6640:127.0.0.1

Additional information: 
partial output from audit.log is attached

Comment 2 Ihar Hrachyshka 2015-06-18 11:07:13 UTC

There is no need to install ovsdb-server to reproduce the issue, ovsdb-server would be enough.

I will give some insight into why it should be allowed.

Neutron added a new implementation to access ovsdb in Kilo (OSP7) called native. It does not use vsctl commands but instead use python bindings for OVS. Its connection URI to ovsdb can be controlled, but it should always be some tcp connection. And there is a config hook to control the URI. Most people will not configure it though, reusing the default, which is that "ptcp:6640:127.0.0.1":

http://git.openstack.org/cgit/openstack/neutron/tree/neutron/agent/ovsdb/impl_idl.py#n31

I think we should allow that particular port to be opened by default SELinux wise.

Comment 19 Ihar Hrachyshka 2015-06-22 09:17:45 UTC

The implication of this is that default native ovsdb driver settings are not usable with default selinux policies, so those interested in trying it out will either disable selinux or apply their own rules.

Also, it means that we cannot execute functional tests for neutron out-of-the-box.

It is applicable for OSP7+.

Comment 26 Ryan Hallisey 2015-06-22 17:52:57 UTC

allow openvswitch_t unreserved_port_t:tcp_socket name_bind;

This looks fine.  If you got this AVC in enforcing mode, re run it in permissive so that you don't miss any AVCs.

Comment 27 Ihar Hrachyshka 2015-06-23 09:07:06 UTC

Not sure it's a blocker though: native ovsdb driver is not enabled by default.

Comment 29 Arie Bregman 2015-06-24 05:33:31 UTC

I've tested the new package (openstack-selinux-0.6.35-1.el7ost) and I can confirm that it works now =)

Comment 30 Toni Freger 2015-06-29 07:38:48 UTC

Verified on latest puddle form OpenStack/7.0-RHEL-7-Beta/2015-06-24.1/ on rhel7.1
openstack-selinux-0.6.35-1.el7ost

Verified that ovsdb-server is running and ovs manager is set.

No errors or AVCs are appeared

Comment 32 errata-xmlrpc 2015-08-05 13:27:35 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2015:1548

Note You need to log in before you can comment on or make changes to this bug.