Created attachment 1097535 [details] audit log Description of problem: After starting neutron-server and openvswitch, selinux starts to deny different networking actions and ovs-vswitchd stops to work. Version-Release number of selected component (if applicable): openstack-selinux-0.6.45-1.el7ost.noarch openvswitch-2.4.0-1.el7.x86_64 python-openvswitch-2.4.0-1.el7.noarch openstack-neutron-openvswitch-7.0.0-4.el7ost.noarch Steps to Reproduce: 1. Install rhos 8 with openvswitch Actual results: ovs-vswitchd dies suddenly. Expected results: ovs-vswitchd should run all the time Additional info: Logs provided.
Created attachment 1098008 [details] audit log for openstack-selinux-0.6.46-1
I tried the new package but I still have errors. Log attached.
Can you retest in permissive please? When you catch something in enforcing, go back and test in permissive because enforcing won't show all the AVCs that are breaking this. I'll wait for those logs then build off that.
Created attachment 1098330 [details] audit.log with settings to permissive before running tests When setting to permissive and running tests everything is working fine. Added log.
Created attachment 1098334 [details] audit.log.1 with settings to permissive before running tests Adding part 2 of latest log attached.
We still have fails. Logs attached.
allow openvswitch_t self:tun_socket create; allow openvswitch_t tun_tap_device_t:chr_file open; These 2 showed up.
Created attachment 1100728 [details] audit.log-12/01
Still fails. Log attached.
Created attachment 1107937 [details] audit.log-12.20 Log attached. Seems like it still doesn't work when selinux is set on Enforcing.
There are no AVCs in that log. Can you run in permissive and see if anything pops up?
Beware the dontaudit rules, too.
(In reply to Lon Hohberger from comment #14) > Beware the dontaudit rules, too. I would go with # semodule -DB # setenforce 0 re-test and # ausearch -m avc,user_avc,selinux_err -ts recent
Can you test again with what Mirek suggested? # semodule -DB # setenforce 0 I still only see USER_AVCs. The real denial is not coming up yet.
#!!!! This avc has a dontaudit rule in the current policy allow openvswitch_t ovsdb_port_t:tcp_socket name_bind; buried as a dontaudit rule. This looks like a culprit.
The latest package fixed the issues for me. Everything works as expected now.
(In reply to Arie Bregman from comment #21) > The latest package fixed the issues for me. Everything works as expected now. What are the reproduction steps for verification ? HA environment ? Tnx
(In reply to Alexander Stafeyev from comment #23) > (In reply to Arie Bregman from comment #21) > > The latest package fixed the issues for me. Everything works as expected now. > > What are the reproduction steps for verification ? HA environment ? > > Tnx 1. Deploy RHOS8 2. Test creation of networking resources - network port and subnet. 3. Create instances in different networks and a router. Verify connectivity between the instances. 4. Run tests (tempest/functional) No need deploy HA environment.
there is connectivity between different network instances. [root@overcloud-controller-0 ~]# getenforce Enforcing [root@overcloud-controller-0 ~]# sudo cat /var/log/audit/audit.log | grep den [root@overcloud-controller-0 ~]# rpm -qa | grep openstack-sel openstack-selinux-0.6.52-1.el7ost.noarch [root@overcloud-controller-0 ~]#
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-0603.html