Description of problem: OpenStack with packstack on centos and neutron was not able to function properly due to: /var/log/neutron/dhcp-agent.log:2016-07-03 13:20:04.605 1600 ERROR neutron.agent.linux.dhcp RuntimeError: Exit code: 1 ; Stdin: ; Stdout: ; Stderr: open("/proc/self/ns/net"): Permission denied Version-Release number of selected component (if applicable): Package openstack-selinux-0.7.2-1.el7.noarch How reproducible: Every time. Steps to Reproduce: Installed packstack following RDO instructions on AArch64. Used the following repo for AArch64: http://people.linaro.org/~marcin.juszkiewicz/centos7/openstack-mitaka/ Actual results:Neutron was not allowed to access /proc/self/ns/net Expected Results: Neutron should be allowed to access /proc/self/ns/net Additional info: After adding the following rules the error went away: # cat neutron_fix_read.te module neutron_fix_read 1.0; require { type unlabeled_t; type neutron_t; type proc_net_t; class file { read open }; } #============= neutron_t ============== allow neutron_t unlabeled_t:file open; allow neutron_t unlabeled_t:file read; allow neutron_t proc_net_t:file open; allow neutron_t proc_net_t:file read;
I'm not able to reproduce this with Mitaka on RHEL 7.2 but I definitely have this issue with Newton on RHEL 7.2.
See https://bugzilla.redhat.com/show_bug.cgi?id=1373321
Hello Gema, Which kernel version are you using? Where does it come from? Thank you very much, Dave
I was using the kernel from the linaro overlay: http://repo.linaro.org/rpm/linaro-overlay/centos-7/repo/ I don't have this system deployed anymore, but based on the date of this bug and how I was testing, the kernel I was using was kernel-devel-4.4.11-reference.132.aarch64.rpm from this repo. Hope that helps.
*** This bug has been marked as a duplicate of bug 1373321 ***