Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1419418 - Selinux is preventing neutron-openvswitch-agent from starting properly
Summary: Selinux is preventing neutron-openvswitch-agent from starting properly
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: RDO
Classification: Community
Component: openstack-selinux
Version: trunk
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ---
: trunk
Assignee: Lon Hohberger
QA Contact: Ofer Blaut
URL:
Whiteboard:
Depends On:
Blocks: 1420134
TreeView+ depends on / blocked
 
Reported: 2017-02-06 05:35 UTC by David Hill
Modified: 2017-04-19 20:35 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1420134 (view as bug list)
Environment:
Last Closed: 2017-04-19 20:35:55 UTC


Attachments (Terms of Use)
selinux logs (772.20 KB, application/x-gzip)
2017-02-07 22:10 UTC, David Hill
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1649124 0 None None None 2017-02-06 05:35:25 UTC

Description David Hill 2017-02-06 05:35:01 UTC
Description of problem:
Selinux is preventing neutron-openvswitch-agent from starting properly .  When the issue occurs, ovs-vswitchd is using 100% CPU and unless "semodule -R -D" is ran, no selinux messages appears but ovs-vswitchd is logging lots of permission denied entries.  For what it worths, here is a quick fix:


policy_module(fix,0.0.1)
require {
 type neutron_t;
 type nsfs_t;
 type openvswitch_t;
 class netlink_generic_socket { connect create getattr getopt setopt read write };
 class file { open read };
}
allow neutron_t nsfs_t:file { open read };
allow openvswitch_t self:netlink_generic_socket { connect create getattr getopt setopt read write};
neutron_systemctl(openvswitch_t)
hostname_exec(openvswitch_t)

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Install rdo-newton/ocata/trunk repositories on RHEL 7.3 
2. Run "openstack undercloud install"
3.

Actual results:
Everything succeeds BUT neutron-openvswitch-agent dies on first startup because ovs-vsctl manager creation failed with -14.  Lots of logs in ovs-vswitchd with permission denied and overcloud creation will fail.

Expected results:
Selinux shouldn't be a problem with newton/ocata

Additional info:
This is easily reprocible

Comment 1 David Hill 2017-02-06 05:58:53 UTC
--- a/os-neutron.te
+++ b/os-neutron.te
@@ -13,6 +13,7 @@ gen_require(`
        type proc_t;
        type radvd_exec_t;
        type modules_object_t;
+  type nsfs_t;
        type ipsec_key_file_t;
        type keepalived_t;
        type logrotate_t;
@@ -26,6 +27,7 @@ gen_require(`
        class unix_stream_socket connectto;
        class dir search;
        class netlink_selinux_socket create;
+  class netlink_generic_socket { connect create getattr getopt setopt read write };
 ')
 
 # Bugzilla 1357961
@@ -34,6 +36,12 @@ corenet_tcp_bind_openflow_port(neutron_t)
 # Bugzilla 1180679
 allow neutron_t keepalived_t:process signal;
 
+# Bugzilla 1419418
+allow neutron_t nsfs_t:file { open read };
+allow openvswitch_t self:netlink_generic_socket { connect create getattr getopt setopt read write};
+neutron_systemctl(openvswitch_t)
+hostname_exec(openvswitch_t)
+
 # Bugzilla 1168526 & 1176830
 allow neutron_t radvd_exec_t:file { read open execute execute_no_trans };
 fs_getattr_all_fs(neutron_t)

Comment 2 Ihar Hrachyshka 2017-02-06 19:28:26 UTC
We already have a bunch of rules in https://github.com/redhat-openstack/openstack-selinux/blob/el7/os-ovs.te that seem related. So why don't they work for you? Do you have them included into your openstack-selinux package? Is your vswitchd started before the rules applied? Lots of questions to answer before we open another hole in our security wall.

Please attach service logs for neutron, as well as syslog, as well as audit.log, and config files for neutron services.

It's also not clear why the patch that you proposed to Neutron that masked quotes helped your case. I can't find how this is relevant to the selinux rule you suggested.

I can't believe native interface is broken in RDO, it's default option; as per Brent Eagles, it's not overridden by either puppet or heat or tripleo, and we have tempest jobs in RDO CI pipeline that would catch an error like not being able to add the manager (that would make L2 agent completely disfunctional).

So, in essence, please give more details about your setup, and logs, and maybe rationale on the rules you suggest (how have you come up to them?)

Comment 3 David Hill 2017-02-07 22:10:34 UTC
Created attachment 1248507 [details]
selinux logs

Comment 4 David Hill 2017-02-07 22:11:13 UTC
Name        : openstack-selinux
Version     : 0.7.13
Release     : 2.el7
Architecture: noarch
Install Date: Tue 07 Feb 2017 11:27:53 AM EST
Group       : System Environment/Base
Size        : 155383
License     : GPLv2
Signature   : (none)
Source RPM  : openstack-selinux-0.7.13-2.el7.src.rpm
Build Date  : Fri 09 Dec 2016 09:06:24 AM EST
Build Host  : c1bj.rdu2.centos.org
Relocations : (not relocatable)
Packager    : CBS <cbs@centos.org>
Vendor      : CentOS
URL         : https://github.com/redhat-openstack/openstack-selinux
Summary     : SELinux Policies for OpenStack
Description :
SELinux policy modules for use with OpenStack

Comment 5 David Hill 2017-02-07 22:14:26 UTC
[root@undercloud-0-newton audit]# semodule -l | grep ovs
os-ovs	0.1

Comment 6 David Hill 2017-02-07 23:29:39 UTC
I seem to be able to reproduce this with RHEL 7.3 and RHOSP 10 at this point.  I'm using the latest RHEL 7.3 KVM image and spawn RHOSP 10 / RDO-Newton/Ocata/Etc from a systemd init script.  Maybe our RHEL 7.3 KVM image has issues?

Comment 7 David Hill 2017-02-07 23:32:42 UTC
Name        : openstack-selinux
Arch        : noarch
Version     : 0.7.13
Release     : 3.el7ost
Size        : 152 k
Repo        : installed
From repo   : rhelosp-10.0-puddle
Summary     : SELinux Policies for OpenStack
URL         : https://github.com/redhat-openstack/openstack-selinux
License     : GPLv2
Description : SELinux policy modules for use with OpenStack


# cat audit.log | grep denied | audit2allow -R
require {
	type openvswitch_t;
	class netlink_generic_socket getopt;
}

#============= openvswitch_t ==============
allow openvswitch_t self:netlink_generic_socket getopt;



One of the main symptoms I can see here is when ovs-vswitched is using 100% CPU  and ovs-vswitchd logs lots of the following:
2017-02-07T23:25:14.921Z|02933|netlink_socket|ERR|transaction error (Permission denied)


This issue is really openstack-selinux not allowing the proper syscall and needs to be whitelisted.

Comment 8 Lon Hohberger 2017-02-20 20:19:46 UTC
Actually, the rest of this noted in commend #7 look all right.

Comment 9 Lon Hohberger 2017-02-20 20:30:18 UTC
needs a bit more, going through the logs:

require {
	type openvswitch_t;
	class netlink_generic_socket { connect create getattr getopt setopt };
}

#============= openvswitch_t ==============
allow openvswitch_t self:netlink_generic_socket { connect create getattr getopt setopt };

Comment 10 Lon Hohberger 2017-02-20 20:39:38 UTC
... which can be shortened to: create_socket_perms


Note You need to log in before you can comment on or make changes to this bug.