Created attachment 786326 [details] output of ausearch -i -m avc after doing packstack --allinone and launching a VM Description of problem: Various permissions errors occur when launching neutron services/using neutron. I'm assuming that the rename from quantum to neutron broke all of the related selinux policies. All binaries, configs/dirs, usernames etc. have had s/quantum/neutron/ done. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. packstack --allinone 2. . keystonerc_demo 3. nova --boot --image cirros --flavor 1 --nic netid=${id of 'private' network} test 4. ausearch -i -m avc Actual results: Instance gets a DHCP address/No avc errors Expected results: Instance does not get a DHCP address/Lots of avc errors Additional info:
I should also point out that neutron ships with the quantum-named binaries as well for compatibility reasons for now. So the rules should probably cover both.
*** Bug 999447 has been marked as a duplicate of this bug. ***
I can confirm this bug in a test environment here. (rdo-havana on CentOS 6.4) The VMs won't receive dhcp response, It can be identified this way also; # grep DHCPDISCOVER /var/log/messages Sep 5 01:28:38 opentron dnsmasq-dhcp[3284]: DHCPDISCOVER(tapa5331882-85) fa:16:3e:96:4d:a3 no address available # tail -f /var/log/messages | grep dnsmasq & # killall -HUP dnsmasq Sep 5 01:32:05 opentron dnsmasq[2148]: read /etc/hosts - 2 addresses Sep 5 01:32:05 opentron dnsmasq[3284]: cleared cache Sep 5 01:32:05 opentron dnsmasq[3284]: cannot read /var/lib/neutron/dhcp/521717de-5dbe-4756-8ef2-fe17321eeae8/host: Permission denied Sep 5 01:32:05 opentron dnsmasq-dhcp[3284]: read /var/lib/neutron/dhcp/521717de-5dbe-4756-8ef2-fe17321eeae8/host Sep 5 01:32:05 opentron dnsmasq[3284]: cannot read /var/lib/neutron/dhcp/521717de-5dbe-4756-8ef2-fe17321eeae8/opts: Permission denied Sep 5 01:32:05 opentron dnsmasq-dhcp[3284]: read /var/lib/neutron/dhcp/521717de-5dbe-4756-8ef2-fe17321eeae8/opts Sep 5 01:32:05 opentron dnsmasq[2148]: read /var/lib/libvirt/dnsmasq/default.addnhosts - 0 addresses Sep 5 01:32:05 opentron dnsmasq-dhcp[2148]: read /var/lib/libvirt/dnsmasq/default.hostsfile as a test I ran dnsmasq as root to check: # ip net exec qdhcp-521717de-5dbe-4756-8ef2-fe17321eeae8 dnsmasq --no-hosts --no-resolv --strict-order --bind-interfaces --interface=tapa5331882-85 --except-interface=lo --pid-file=/var/lib/neutron/dhcp/521717de-5dbe-4756-8ef2-fe17321eeae8/pid --dhcp-hostsfile=/var/lib/neutron/dhcp/521717de-5dbe-4756-8ef2-fe17321eeae8/host --dhcp-optsfile=/var/lib/neutron/dhcp/521717de-5dbe-4756-8ef2-fe17321eeae8/opts --dhcp-script=/usr/bin/neutron-dhcp-agent-dnsmasq-lease-update --leasefile-ro --dhcp-range=set:tag0,10.0.0.0,static,120s --conf-file= --domain=openstacklocal and it works
Created attachment 796015 [details] Initial patch This patch was rejected, but is included for reference.
Created attachment 796016 [details] Upstream patch from Dan Walsh
*** Bug 1008142 has been marked as a duplicate of this bug. ***
Unofficial test packages: http://people.redhat.com/lhh/selinux-policy/
This is a backport of Dan's patch: https://bugzilla.redhat.com/attachment.cgi?id=796034
Patch looks good to me after a (very) quick test. Obviously it's hard to test each and every aspect of Neutron but at least the access denied message as described in comment #3 have vanished, dnsmasq was able to read those files just fine - and I never noticed any other SELinux-related issues anyway, myself.
Miroslav also did a build for this; I'll update the repository with his patch/build.
I updated the packages as well.
I tested the packages by setting up lhh's repo. I saw no avc denials.
(In reply to Terry Wilson from comment #12) > I tested the packages by setting up lhh's repo. I saw no avc denials. FWIW: the issue in this bug never created any AVC denials but just stopped things from working. Anyway, also tested the updated packages and all looks good.
Yes, we need to be sure there is no regression.
Ok, so we need to see if RDO/Grizzly still works