1352710 – SELinux is preventing creation of vpnaas in openstack

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1352710 - SELinux is preventing creation of vpnaas in openstack

Summary: SELinux is preventing creation of vpnaas in openstack

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.2
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-07-04 20:33 UTC by Peter Schiffer
Modified:	2016-11-04 02:33 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.13.1-87.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-04 02:33:45 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2283	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2016-11-03 13:36:25 UTC

Description Peter Schiffer 2016-07-04 20:33:08 UTC

Description of problem:
SELinux is preventing creation of vpnaas in openstack

Version-Release number of selected component (if applicable):
rpm -q openstack-neutron-vpnaas python-neutron-vpnaas selinux-policy
openstack-neutron-vpnaas-8.0.0-1.el7.noarch
python-neutron-vpnaas-8.0.0-1.el7.noarch
selinux-policy-3.13.1-60.el7_2.7.noarch

How reproducible:
always

Steps to Reproduce:
$ neutron vpn-ikepolicy-create ikepolicy1
$ neutron vpn-ipsecpolicy-create ipsecpolicy1
$ neutron vpn-service-create --name myvpn --description "My vpn service" router1 mysubnet
$ neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.233 --peer-id 172.24.4.233 --peer-cidr 10.2.0.0/24 --psk secret

Actual results:
Last command fails

Expected results:
Last command succeeds

Additional info:
$ cat /var/log/neutron/vpn-agent.log
2016-07-04 21:51:16.070 25850 ERROR neutron.agent.linux.utils [req-13e5d57d-f9e2-4e38-9fc6-6964c8d0ef42 4b604f081fea4ae5a42fa3f9f4295d60 238c62b3ca9f403e9c5330b20b7fbb87 - - -] Exit code: 1; Stdin: ; Stdout: ; Stderr: chown: changing ownership of ‘/var/lib/neutron/ipsec/d067e798-3333-4a03-b61e-82c61173d2fb/etc/ipsec.secrets’: Operation not permitted

2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec [req-13e5d57d-f9e2-4e38-9fc6-6964c8d0ef42 4b604f081fea4ae5a42fa3f9f4295d60 238c62b3ca9f403e9c5330b20b7fbb87 - - -] Failed to enable vpn process on router d067e798-3333-4a03-b61e-82c61173d2fb
2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Traceback (most recent call last):
2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 289, in enable
2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     self.ensure_configs()
2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py", line 51, in ensure_configs
2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     secrets_file])
2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 396, in _execute
2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     extra_ok_codes=extra_ok_codes)
2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/site-packages/neutron/agent/linux/ip_lib.py", line 927, in execute
2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     log_fail_as_error=log_fail_as_error, **kwargs)
2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py", line 140, in execute
2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     raise RuntimeError(msg)
2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec RuntimeError: Exit code: 1; Stdin: ; Stdout: ; Stderr: chown: changing ownership of \u2018/var/lib/neutron/ipsec/d067e798-3333-4a03-b61e-82c61173d2fb/etc/ipsec.secrets\u2019: Operation not permitted

$ ausearch -a 26152 -i
----
type=SYSCALL msg=audit(07/04/2016 21:51:16.065:26152) : arch=x86_64 syscall=fchown success=no exit=-1(Operation not permitted) a0=0x3 a1=0x0 a2=0x0 a3=0x7ffdd69f6490 items=0 ppid=9350 pid=1556 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chown exe=/usr/bin/chown subj=system_u:system_r:neutron_t:s0 key=(null) 
type=AVC msg=audit(07/04/2016 21:51:16.065:26152) : avc:  denied  { chown } for  pid=1556 comm=chown capability=chown  scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=capability


Temporary workaround:
$ semanage permissive -a neutron_t

Comment 8 errata-xmlrpc 2016-11-04 02:33:45 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html

Note You need to log in before you can comment on or make changes to this bug.