RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/
Bug 1850973 - privsep-helper fails to spawn
Summary: privsep-helper fails to spawn
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: RDO
Classification: Community
Component: openstack-selinux
Version: trunk
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: trunk
Assignee: Julie Pichon
QA Contact: Ofer Blaut
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-06-25 10:01 UTC by Julie Pichon
Modified: 2020-06-25 15:59 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2020-06-25 15:59:29 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github redhat-openstack openstack-selinux pull 63 0 None closed Add dac_override capability to neutron_t 2020-10-17 21:43:06 UTC

Description Julie Pichon 2020-06-25 10:01:07 UTC 
From https://github.com/redhat-openstack/openstack-selinux/pull/63:

The dac_override capability is required when spawning the privsep-helper. It's spawned by neutron-rootwrap which in itself is executed by sudo.

type=AVC msg=audit(1593076023.722:2752): avc: denied { dac_override } for pid=91081 comm="privsep-helper" capability=1 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:system_r:neutron_t:s0 tclass=capability permissive=0

audit2allow in permissive mode gives the following
$ausearch -c privsep | audit2allow
#============= neutron_t ==============
allow neutron_t self:capability dac_override;


Related neutron log of the failure:

2020-06-25 11:13:51.639 12822 INFO oslo.privsep.daemon [-] Running privsep helper: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'privsep-helper', '--config-file', '/usr/share/neutron/neutron-dist.conf', '--config-file', '/etc/neutron/neutron.conf', '--config-file', '/etc/neutron/plugins/ml2/openvswitch_agent.ini', '--config-dir', '/etc/neutron/conf.d/neutron-openvswitch-agent', '--privsep_context', 'neutron.privileged.default', '--privsep_sock_path', '/tmp/tmppqo1gie4/privsep.sock']
2020-06-25 11:13:52.798 12822 CRITICAL oslo.privsep.daemon [-] privsep helper command exited non-zero (1)
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp [-] Agent main thread died of an exception: oslo_privsep.daemon.FailedToDropPrivileges: privsep helper command exited non-zero (1)
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp Traceback (most recent call last):
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp   File "/usr/lib/python3.6/site-packages/neutron/plugins/ml2/drivers/openvswitch/agent/openflow/native/ovs_oskenapp.py", line 40, in agent_main_wrapper
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp     ovs_agent.main(bridge_classes)
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp   File "/usr/lib/python3.6/site-packages/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py", line 2768, in main
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp     validate_tunnel_config(cfg.CONF.AGENT.tunnel_types, cfg.CONF.OVS.local_ip)
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp   File "/usr/lib/python3.6/site-packages/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py", line 2737, in validate_tunnel_config
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp     validate_local_ip(local_ip)
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp   File "/usr/lib/python3.6/site-packages/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py", line 2725, in validate_local_ip
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp     if not ip_lib.IPWrapper().get_device_by_ip(local_ip):
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp   File "/usr/lib/python3.6/site-packages/neutron/agent/linux/ip_lib.py", line 200, in get_device_by_ip
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp     devices = get_devices_with_ip(self.namespace, **kwargs)
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp   File "/usr/lib/python3.6/site-packages/neutron/agent/linux/ip_lib.py", line 1365, in get_devices_with_ip
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp     devices = privileged.get_link_devices(namespace, **link_args)
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp   File "/usr/lib/python3.6/site-packages/neutron/privileged/agent/linux/ip_lib.py", line 73, in sync_inner
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp     return input_func(*args, **kwargs)
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp   File "/usr/lib/python3.6/site-packages/oslo_privsep/priv_context.py", line 244, in _wrap
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp     self.start()
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp   File "/usr/lib/python3.6/site-packages/oslo_privsep/priv_context.py", line 255, in start
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp     channel = daemon.RootwrapClientChannel(context=self)
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp   File "/usr/lib/python3.6/site-packages/oslo_privsep/daemon.py", line 331, in __init__
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp     raise FailedToDropPrivileges(msg)
2020-06-25 11:13:52.799 12822 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.openflow.native.ovs_oskenapp oslo_privsep.daemon.FailedToDropPrivileges: privsep helper command exited non-zero (1)


Additional information:

PR is already posted on github, creating a bug to have a reference to add a test.
Note You need to log in before you can comment on or make changes to this bug.