Bug 1294420 - selinux rejects Router Advertisement Daemon commands
selinux rejects Router Advertisement Daemon commands
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux (Show other bugs)
8.0 (Liberty)
Unspecified Unspecified
urgent Severity high
: ga
: 8.0 (Liberty)
Assigned To: Ryan Hallisey
: TestOnly, ZStream
Depends On:
  Show dependency treegraph
Reported: 2015-12-28 02:23 EST by bkopilov
Modified: 2016-06-23 14:19 EDT (History)
8 users (show)

See Also:
Fixed In Version: openstack-selinux-0.6.51-1.el7ost
Doc Type: Bug Fix
Doc Text:
Previously, IPv6 was unable to advertise the router advertisement deamon commands, resulting in SELinux rejecting the router advertisement commands and OpenStack Networking failing with errors. With this update, IPv6 is now allowed to advertise the router advertisement commands. As a result, OpenStack Networking runs without errors.
Story Points: ---
Clone Of:
Last Closed: 2016-06-23 14:19:42 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
audit.log.4 (1.00 MB, application/x-gzip)
2015-12-28 02:29 EST, bkopilov
no flags Details

  None (edit)
Description bkopilov 2015-12-28 02:23:58 EST
Description of problem:
rhel7.2 , rhos 8  , installed with openstack director.

There are selinux denies for ipv6 messages, 

/var/log/audit/audit.log.2:10668:type=AVC msg=audit(1451203693.469:240652): avc:  denied  { create } for  pid=6620 comm="su" scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket

IPV6 advertisment issues : 
/var/log/audit/audit.log.2:20275:type=AVC msg=audit(1451207012.915:246764): avc: denied { getattr } for pid=31616 comm="neutron-rootwra" path="/usr/sbin/radvd" dev="sda2" ino=1574747 scontext=system_u:system_r:neutron_t:s0 tcontext=unconfined_u:object_r:radvd_exec_t:s0 tclass=file

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

Additional info:
attaching selinux logs
Comment 2 bkopilov 2015-12-28 02:29 EST
Created attachment 1109964 [details]
Comment 3 Ryan Hallisey 2016-01-13 12:32:25 EST
Can you re run this in permissive?  Those AVCs I don't think reveal the issue and the neutron one is already allowed.
Comment 4 Ryan Hallisey 2016-01-13 13:04:27 EST
Try this out. See if it fixes the issue.
Comment 11 bkopilov 2016-06-05 06:35:54 EDT
Hi , 
Checked in post automation run with tempest.
I did not see /usr/sbin/radvd deny.


Note You need to log in before you can comment on or make changes to this bug.