Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1352710

Summary: SELinux is preventing creation of vpnaas in openstack
Product: Red Hat Enterprise Linux 7 Reporter: Peter Schiffer <pschiffe>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: high    
Version: 7.2CC: lvrabec, mgrepl, mmalik, plautrba, pschiffe, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-87.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 02:33:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Peter Schiffer 2016-07-04 20:33:08 UTC 
Description of problem:
SELinux is preventing creation of vpnaas in openstack

Version-Release number of selected component (if applicable):
rpm -q openstack-neutron-vpnaas python-neutron-vpnaas selinux-policy
openstack-neutron-vpnaas-8.0.0-1.el7.noarch
python-neutron-vpnaas-8.0.0-1.el7.noarch
selinux-policy-3.13.1-60.el7_2.7.noarch

How reproducible:
always

Steps to Reproduce:
$ neutron vpn-ikepolicy-create ikepolicy1
$ neutron vpn-ipsecpolicy-create ipsecpolicy1
$ neutron vpn-service-create --name myvpn --description "My vpn service" router1 mysubnet
$ neutron ipsec-site-connection-create --name vpnconnection1 --vpnservice-id myvpn --ikepolicy-id ikepolicy1 --ipsecpolicy-id ipsecpolicy1 --peer-address 172.24.4.233 --peer-id 172.24.4.233 --peer-cidr 10.2.0.0/24 --psk secret

Actual results:
Last command fails

Expected results:
Last command succeeds

Additional info:
$ cat /var/log/neutron/vpn-agent.log
2016-07-04 21:51:16.070 25850 ERROR neutron.agent.linux.utils [req-13e5d57d-f9e2-4e38-9fc6-6964c8d0ef42 4b604f081fea4ae5a42fa3f9f4295d60 238c62b3ca9f403e9c5330b20b7fbb87 - - -] Exit code: 1; Stdin: ; Stdout: ; Stderr: chown: changing ownership of ‘/var/lib/neutron/ipsec/d067e798-3333-4a03-b61e-82c61173d2fb/etc/ipsec.secrets’: Operation not permitted

2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec [req-13e5d57d-f9e2-4e38-9fc6-6964c8d0ef42 4b604f081fea4ae5a42fa3f9f4295d60 238c62b3ca9f403e9c5330b20b7fbb87 - - -] Failed to enable vpn process on router d067e798-3333-4a03-b61e-82c61173d2fb
2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec Traceback (most recent call last):
2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 289, in enable
2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     self.ensure_configs()
2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py", line 51, in ensure_configs
2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     secrets_file])
2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/site-packages/neutron_vpnaas/services/vpn/device_drivers/ipsec.py", line 396, in _execute
2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     extra_ok_codes=extra_ok_codes)
2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/site-packages/neutron/agent/linux/ip_lib.py", line 927, in execute
2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     log_fail_as_error=log_fail_as_error, **kwargs)
2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec   File "/usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py", line 140, in execute
2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec     raise RuntimeError(msg)
2016-07-04 21:51:16.071 25850 ERROR neutron_vpnaas.services.vpn.device_drivers.ipsec RuntimeError: Exit code: 1; Stdin: ; Stdout: ; Stderr: chown: changing ownership of \u2018/var/lib/neutron/ipsec/d067e798-3333-4a03-b61e-82c61173d2fb/etc/ipsec.secrets\u2019: Operation not permitted

$ ausearch -a 26152 -i
----
type=SYSCALL msg=audit(07/04/2016 21:51:16.065:26152) : arch=x86_64 syscall=fchown success=no exit=-1(Operation not permitted) a0=0x3 a1=0x0 a2=0x0 a3=0x7ffdd69f6490 items=0 ppid=9350 pid=1556 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chown exe=/usr/bin/chown subj=system_u:system_r:neutron_t:s0 key=(null) 
type=AVC msg=audit(07/04/2016 21:51:16.065:26152) : avc:  denied  { chown } for  pid=1556 comm=chown capability=chown  scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=capability


Temporary workaround:
$ semanage permissive -a neutron_t
Comment 8 errata-xmlrpc 2016-11-04 02:33:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html