Description of problem: Selinux is preventing neutron-openvswitch-agent from starting properly . When the issue occurs, ovs-vswitchd is using 100% CPU and unless "semodule -R -D" is ran, no selinux messages appears but ovs-vswitchd is logging lots of permission denied entries. For what it worths, here is a quick fix: policy_module(fix,0.0.1) require { type neutron_t; type nsfs_t; type openvswitch_t; class netlink_generic_socket { connect create getattr getopt setopt read write }; class file { open read }; } allow neutron_t nsfs_t:file { open read }; allow openvswitch_t self:netlink_generic_socket { connect create getattr getopt setopt read write}; neutron_systemctl(openvswitch_t) hostname_exec(openvswitch_t) Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Install rdo-newton/ocata/trunk repositories on RHEL 7.3 2. Run "openstack undercloud install" 3. Actual results: Everything succeeds BUT neutron-openvswitch-agent dies on first startup because ovs-vsctl manager creation failed with -14. Lots of logs in ovs-vswitchd with permission denied and overcloud creation will fail. Expected results: Selinux shouldn't be a problem with newton/ocata Additional info: This is easily reprocible
--- a/os-neutron.te +++ b/os-neutron.te @@ -13,6 +13,7 @@ gen_require(` type proc_t; type radvd_exec_t; type modules_object_t; + type nsfs_t; type ipsec_key_file_t; type keepalived_t; type logrotate_t; @@ -26,6 +27,7 @@ gen_require(` class unix_stream_socket connectto; class dir search; class netlink_selinux_socket create; + class netlink_generic_socket { connect create getattr getopt setopt read write }; ') # Bugzilla 1357961 @@ -34,6 +36,12 @@ corenet_tcp_bind_openflow_port(neutron_t) # Bugzilla 1180679 allow neutron_t keepalived_t:process signal; +# Bugzilla 1419418 +allow neutron_t nsfs_t:file { open read }; +allow openvswitch_t self:netlink_generic_socket { connect create getattr getopt setopt read write}; +neutron_systemctl(openvswitch_t) +hostname_exec(openvswitch_t) + # Bugzilla 1168526 & 1176830 allow neutron_t radvd_exec_t:file { read open execute execute_no_trans }; fs_getattr_all_fs(neutron_t)
We already have a bunch of rules in https://github.com/redhat-openstack/openstack-selinux/blob/el7/os-ovs.te that seem related. So why don't they work for you? Do you have them included into your openstack-selinux package? Is your vswitchd started before the rules applied? Lots of questions to answer before we open another hole in our security wall. Please attach service logs for neutron, as well as syslog, as well as audit.log, and config files for neutron services. It's also not clear why the patch that you proposed to Neutron that masked quotes helped your case. I can't find how this is relevant to the selinux rule you suggested. I can't believe native interface is broken in RDO, it's default option; as per Brent Eagles, it's not overridden by either puppet or heat or tripleo, and we have tempest jobs in RDO CI pipeline that would catch an error like not being able to add the manager (that would make L2 agent completely disfunctional). So, in essence, please give more details about your setup, and logs, and maybe rationale on the rules you suggest (how have you come up to them?)
Created attachment 1248507 [details] selinux logs
Name : openstack-selinux Version : 0.7.13 Release : 2.el7 Architecture: noarch Install Date: Tue 07 Feb 2017 11:27:53 AM EST Group : System Environment/Base Size : 155383 License : GPLv2 Signature : (none) Source RPM : openstack-selinux-0.7.13-2.el7.src.rpm Build Date : Fri 09 Dec 2016 09:06:24 AM EST Build Host : c1bj.rdu2.centos.org Relocations : (not relocatable) Packager : CBS <cbs> Vendor : CentOS URL : https://github.com/redhat-openstack/openstack-selinux Summary : SELinux Policies for OpenStack Description : SELinux policy modules for use with OpenStack
[root@undercloud-0-newton audit]# semodule -l | grep ovs os-ovs 0.1
I seem to be able to reproduce this with RHEL 7.3 and RHOSP 10 at this point. I'm using the latest RHEL 7.3 KVM image and spawn RHOSP 10 / RDO-Newton/Ocata/Etc from a systemd init script. Maybe our RHEL 7.3 KVM image has issues?
Name : openstack-selinux Arch : noarch Version : 0.7.13 Release : 3.el7ost Size : 152 k Repo : installed From repo : rhelosp-10.0-puddle Summary : SELinux Policies for OpenStack URL : https://github.com/redhat-openstack/openstack-selinux License : GPLv2 Description : SELinux policy modules for use with OpenStack # cat audit.log | grep denied | audit2allow -R require { type openvswitch_t; class netlink_generic_socket getopt; } #============= openvswitch_t ============== allow openvswitch_t self:netlink_generic_socket getopt; One of the main symptoms I can see here is when ovs-vswitched is using 100% CPU and ovs-vswitchd logs lots of the following: 2017-02-07T23:25:14.921Z|02933|netlink_socket|ERR|transaction error (Permission denied) This issue is really openstack-selinux not allowing the proper syscall and needs to be whitelisted.
Actually, the rest of this noted in commend #7 look all right.
needs a bit more, going through the logs: require { type openvswitch_t; class netlink_generic_socket { connect create getattr getopt setopt }; } #============= openvswitch_t ============== allow openvswitch_t self:netlink_generic_socket { connect create getattr getopt setopt };
... which can be shortened to: create_socket_perms
https://github.com/redhat-openstack/openstack-selinux/commit/27bd924074aee23c7cb9540e182f0cd0da6da3fd