1294420 – selinux rejects Router Advertisement Daemon commands

Bug 1294420 - selinux rejects Router Advertisement Daemon commands

Summary: selinux rejects Router Advertisement Daemon commands

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux
Sub Component:
Version:	8.0 (Liberty)
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	high
Target Milestone:	ga
Target Release:	8.0 (Liberty)
Assignee:	Ryan Hallisey
QA Contact:	bkopilov
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-12-28 07:23 UTC by bkopilov
Modified:	2016-06-23 18:19 UTC (History)
CC List:	8 users (show)
Fixed In Version:	openstack-selinux-0.6.51-1.el7ost
Doc Type:	Bug Fix
Doc Text:	Previously, IPv6 was unable to advertise the router advertisement deamon commands, resulting in SELinux rejecting the router advertisement commands and OpenStack Networking failing with errors. With this update, IPv6 is now allowed to advertise the router advertisement commands. As a result, OpenStack Networking runs without errors.
Clone Of:
Environment:
Last Closed:	2016-06-23 18:19:42 UTC
Target Upstream Version:

Attachments	(Terms of Use)
audit.log.4 (1.00 MB, application/x-gzip) 2015-12-28 07:29 UTC, bkopilov	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description bkopilov 2015-12-28 07:23:58 UTC

Description of problem:
rhel7.2 , rhos 8  , installed with openstack director.

There are selinux denies for ipv6 messages, 

/var/log/audit/audit.log.2:10668:type=AVC msg=audit(1451203693.469:240652): avc:  denied  { create } for  pid=6620 comm="su" scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket

IPV6 advertisment issues : 
/var/log/audit/audit.log.2:20275:type=AVC msg=audit(1451207012.915:246764): avc: denied { getattr } for pid=31616 comm="neutron-rootwra" path="/usr/sbin/radvd" dev="sda2" ino=1574747 scontext=system_u:system_r:neutron_t:s0 tcontext=unconfined_u:object_r:radvd_exec_t:s0 tclass=file



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
attaching selinux logs

Comment 2 bkopilov 2015-12-28 07:29:52 UTC

Created attachment 1109964 [details]
audit.log.4

Comment 3 Ryan Hallisey 2016-01-13 17:32:25 UTC

Can you re run this in permissive?  Those AVCs I don't think reveal the issue and the neutron one is already allowed.

Comment 4 Ryan Hallisey 2016-01-13 18:04:27 UTC

Try this out. See if it fixes the issue.

Comment 11 bkopilov 2016-06-05 10:35:54 UTC

Hi , 
Checked in post automation run with tempest.
I did not see /usr/sbin/radvd deny.

Benny

Note You need to log in before you can comment on or make changes to this bug.