Bug 1642102 - Selinux is preventing OpenStack from launching multiqueue-enabled instances
Summary: Selinux is preventing OpenStack from launching multiqueue-enabled instances
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: z5
: 13.0 (Queens)
Assignee: Zoli Caplovic
QA Contact: Jon Schlueter
URL:
Whiteboard:
: 1608620 (view as bug list)
Depends On:
Blocks: 1581780 1658543 1658545 1658546 1658548 1658550
TreeView+ depends on / blocked
 
Reported: 2018-10-23 15:25 UTC by nalmond
Modified: 2019-12-05 05:13 UTC (History)
9 users (show)

Fixed In Version: openstack-selinux-0.8.16-1.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1658543 1658545 1658546 1658548 1658550 (view as bug list)
Environment:
Last Closed: 2019-03-14 13:34:19 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3966081 0 None None None 2019-12-05 05:13:44 UTC
Red Hat Knowledge Base (Solution) 4637401 0 None None None 2019-12-05 05:09:05 UTC
Red Hat Product Errata RHSA-2019:0564 0 None None None 2019-03-14 13:34:43 UTC

Description nalmond 2018-10-23 15:25:53 UTC
Description of problem:
When launching an instance with multiqueue enabled as an image property, the instance fails to start. An avc denial can be seen in the audit log:

type=AVC msg=audit(1540216030.840:31215): avc:  denied  { attach_queue } for  pid=34373 comm=43505520312F4B564D scontext=system_u:system_r:svirt_t:s0:c457,c875 tcontext=system_u:system_r:spc_t:s0 tclass=tun_socket

Disabling selinux or running the below commands allows the instance to start:

#audit2allow -a -M attach_queue
#semodule -i attach_queue.pp

Version-Release number of selected component (if applicable):
openstack-selinux-0.8.14-12.el7ost.noarch                   Wed Jul 11 03:27:18 2018
selinux-policy-3.13.1-192.el7_5.4.noarch                    Wed Jul 11 02:42:42 2018
selinux-policy-targeted-3.13.1-192.el7_5.4.noarch           Wed Jul 11 02:45:15 2018


How reproducible:
Consistently in this RHEL 7.5 RHOSP 13 environment

Steps to Reproduce:
1. Deploy RHOSP 13 with dpdk https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html-single/network_functions_virtualization_planning_and_configuration_guide/
2. Attempt to launch an instance with multiqueue
3.

Actual results:
Instance fails to start with avc denial

Expected results:
Instance starts without manual selinux modification

Additional info:
This looks similar to an older bug https://bugzilla.redhat.com/show_bug.cgi?id=1095636

Comment 2 Zoli Caplovic 2018-11-14 13:49:53 UTC
Hello Nicholas, 

sorry for late response. I would like to ask whether there is any reason why you are trying it with RHEL 7.5? The issue might be fixed in RHEL 7.6 with the current container-selinux policy. 

Thank you 

Zoli Caplovic

Comment 6 Jon Schlueter 2019-01-02 17:55:23 UTC
missed cutoff will be in next batch

Comment 7 Priscila 2019-01-14 18:50:15 UTC
(In reply to Jon Schlueter from comment #6)
> missed cutoff will be in next batch

Thanks a lot!

Comment 8 smooney 2019-01-29 21:03:49 UTC
*** Bug 1608620 has been marked as a duplicate of this bug. ***

Comment 24 errata-xmlrpc 2019-03-14 13:34:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:0564


Note You need to log in before you can comment on or make changes to this bug.