Description of problem: When launching an instance with multiqueue enabled as an image property, the instance fails to start. An avc denial can be seen in the audit log: type=AVC msg=audit(1540216030.840:31215): avc: denied { attach_queue } for pid=34373 comm=43505520312F4B564D scontext=system_u:system_r:svirt_t:s0:c457,c875 tcontext=system_u:system_r:spc_t:s0 tclass=tun_socket Disabling selinux or running the below commands allows the instance to start: #audit2allow -a -M attach_queue #semodule -i attach_queue.pp Version-Release number of selected component (if applicable): openstack-selinux-0.8.14-12.el7ost.noarch Wed Jul 11 03:27:18 2018 selinux-policy-3.13.1-192.el7_5.4.noarch Wed Jul 11 02:42:42 2018 selinux-policy-targeted-3.13.1-192.el7_5.4.noarch Wed Jul 11 02:45:15 2018 How reproducible: Consistently in this RHEL 7.5 RHOSP 13 environment Steps to Reproduce: 1. Deploy RHOSP 13 with dpdk https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html-single/network_functions_virtualization_planning_and_configuration_guide/ 2. Attempt to launch an instance with multiqueue 3. Actual results: Instance fails to start with avc denial Expected results: Instance starts without manual selinux modification Additional info: This looks similar to an older bug https://bugzilla.redhat.com/show_bug.cgi?id=1095636
Hello Nicholas, sorry for late response. I would like to ask whether there is any reason why you are trying it with RHEL 7.5? The issue might be fixed in RHEL 7.6 with the current container-selinux policy. Thank you Zoli Caplovic
missed cutoff will be in next batch
(In reply to Jon Schlueter from comment #6) > missed cutoff will be in next batch Thanks a lot!
*** Bug 1608620 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:0564