Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1245846

Summary: selinux issues with openstack-neutron-vpnaas libreswan driver
Product: Red Hat OpenStack Reporter: Terry Wilson <twilson>
Component: openstack-selinuxAssignee: Ryan Hallisey <rhallise>
Status: CLOSED CURRENTRELEASE QA Contact: Eran Kuris <ekuris>
Severity: high Docs Contact:
Priority: high    
Version: 7.0 (Kilo)CC: dnavale, lhh, lpeer, mburns, mgrepl, nyechiel, oblaut, pwouters, rhallise, srevivo, tfreger
Target Milestone: z5Keywords: Triaged, ZStream
Target Release: 7.0 (Kilo)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-selinux-0.6.42-1.el7ost Doc Type: Bug Fix
Doc Text:
Previously, SELinux was preventing neutron-vpaas from using 'ipsec', causing OpenStack Networking to fail in 'enforcing' mode. This update allows OpenStack Networking to interact with 'ipsec', as a result, OpenStack Networking functions without issues.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-12 20:29:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1077162    
Attachments:
Description Flags
Script to create two VMs connected by a VPN
none
AVC info none

Description Terry Wilson 2015-07-23 00:03:23 UTC 
Created attachment 1055123 [details]
Script to create two VMs connected by a VPN

Description of problem:

Starting the neutron-vpn-agent service and adding ipsec-site-connections fails with selinux enabled.


Version-Release number of selected component (if applicable):
openstack-selinux-0.6.37-1.el7ost.noarch

How reproducible:
always

Steps to Reproduce:
1. Install openstack w/ vpn agent enabled
2. Run attached script, replacing IMAGE= with correct image name


Actual results:
Failures due to selinux

Expected results:
VPN agent runs and the two VMs created by the script can ping each other

Additional info:
See attached ausearch output
Comment 3 Terry Wilson 2015-07-23 00:03:50 UTC 
Created attachment 1055124 [details]
AVC info
Comment 5 Ryan Hallisey 2015-08-25 18:41:40 UTC 
All those rules look good.  Sorry I must've lost this in my inbox somewhere.  Thanks for bringing back to my attention.

allow neutron_t ipsec_conf_file_t:file { read ioctl open getattr };
allow neutron_t ipsec_exec_t:file { read execute open getattr execute_no_trans };
allow neutron_t ipsec_key_file_t:dir { read open };
allow neutron_t ipsec_key_file_t:file { read ioctl open getattr };
allow neutron_t modules_object_t:file getattr;
allow neutron_t self:capability setpcap;
allow neutron_t self:key_socket { write read create };
allow neutron_t self:netlink_xfrm_socket { bind create nlmsg_write };
allow neutron_t setfiles_exec_t:file { read execute open getattr execute_no_trans };
Comment 11 Eran Kuris 2015-12-09 09:32:45 UTC 
blocked by Bug 1268444
Comment 13 Mike Burns 2016-10-12 20:29:24 UTC 
This should not have been failed for another existing bug.  The package has been shipped live.  Closing this bug.