1676954 – After minor update (rhel 7.5 to 7.6) instance actions fail and neutron networking is broken

Bug 1676954 - After minor update (rhel 7.5 to 7.6) instance actions fail and neutron networking is broken

Summary: After minor update (rhel 7.5 to 7.6) instance actions fail and neutron networ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux
Sub Component:
Version:	10.0 (Newton)
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	10.0 (Newton)
Assignee:	Julie Pichon
QA Contact:	nlevinki
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-02-13 16:38 UTC by Cristian Muresanu
Modified:	2019-04-30 16:59 UTC (History)
CC List:	10 users (show)
Fixed In Version:	openstack-selinux-0.8.18-1.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-04-30 16:59:39 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1658815	0	medium	CLOSED	Nova-api fails to start , sudo in nova-rootwrap blocked by SELinux	2021-02-22 00:41:40 UTC
Red Hat Product Errata	RHBA-2019:0922	0	None	None	None	2019-04-30 16:59:48 UTC

Internal Links: 1658815

Description Cristian Muresanu 2019-02-13 16:38:23 UTC

Description of problem:
After minor update (rhel 7.5 to 7.6) instance actions fail and neutron networking is broken

New instance spawn fails
Start instance fails
Live-migration fails

Version-Release number of selected component (if applicable):


How reproducible:
minor update (rhel 7.5 to 7.6)

Steps to Reproduce:
1.
2.
3.

Actual results:
instance actions fail and neutron networking is broken

Expected results:
Not fail

Additional info:

Comment 1 Cristian Muresanu 2019-02-13 16:46:24 UTC

Setting setenforce 0 on controllers and then restart neutron services on controllers and restart rabbit, then setenforce 0 on the computes and restart neutron and openstack services things get a little better.  e.g. We no longer see the neutron errors in /var/log/secure.  BUT instance actions like nova start continue to fail

Comment 11 Julie Pichon 2019-02-22 16:52:42 UTC

This looks similar to the nova rootwrap issues that should have been resolved in openstack-selinux-0.8.15-1.el7ost / selinux-policy-3.13.1-229.el7_6.6 (bug 1645270 / bug 1638547) and are both installed on the system. The current AVC denials only relate to neutron_t so it's possible the same generic fix for pam authentication may work, though I am not sure specifically about pam_lsass. I will propose a patch.

Comment 12 Julie Pichon 2019-02-22 17:14:09 UTC

https://github.com/redhat-openstack/openstack-selinux/pull/27

Comment 14 Lon Hohberger 2019-03-11 13:31:23 UTC

Merged upstream. Simple workaround for pbis users.

Comment 15 Julie Pichon 2019-03-29 11:44:06 UTC

The workaround mentioned above as well as the optional pbis boolean added in for bug 1658815 are available in the latest build. Based on the discussions in the other bug, this should help with the AVCs mentioned here as well.

Comment 21 errata-xmlrpc 2019-04-30 16:59:39 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0922

Note You need to log in before you can comment on or make changes to this bug.