Bug 999447 - dnsmasq can't read host and opts files due to SELinux issues
Summary: dnsmasq can't read host and opts files due to SELinux issues
Status: CLOSED DUPLICATE of bug 996776
Alias: None
Product: RDO
Classification: Community
Component: openstack-neutron
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: RHOS Maint
QA Contact: Ofer Blaut
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-08-21 10:35 UTC by Sandro Mathys
Modified: 2016-04-26 17:16 UTC (History)
2 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2013-08-21 11:50:05 UTC


Attachments (Terms of Use)
audit.log of an affected system (63.19 KB, application/gzip)
2013-08-21 10:35 UTC, Sandro Mathys
no flags Details

Description Sandro Mathys 2013-08-21 10:35:49 UTC
Created attachment 788802 [details]
audit.log of an affected system

Description of problem:
Having configured Havana-2 with Neutron (using ovs/netns/gre), dnsmasq won't be able to hand out IP addresses because it can't read host and opts files.

Version-Release number of selected component (if applicable):
openstack-neutron-2013.2-0.3.b2.el6.noarch
openstack-neutron-openvswitch-2013.2-0.3.b2.el6.noarch
dnsmasq-2.48-13.el6.x86_64
selinux-policy-targeted-3.7.19-195.el6_4.12.noarch

How reproducible:
Always.

Steps to Reproduce:
1. Install and configure Neutron
2. Configure a network and subnet
3. Launch a guest

Actual results:
No IP over DHCP, dnsmasq having access problems, i.e. permission denied on host and opts files.

Expected results:
IP over DHCP.

Additional info:
Aug 21 11:10:49 ctrl-stg dnsmasq[4945]: cannot read /var/lib/neutron/dhcp/09ae9120-d280-477b-851d-7687c2394373/host: Permission denied
Aug 21 11:10:49 ctrl-stg dnsmasq[4945]: read /var/lib/neutron/dhcp/09ae9120-d280-477b-851d-7687c2394373/host
Aug 21 11:10:49 ctrl-stg dnsmasq[4945]: cannot read /var/lib/neutron/dhcp/09ae9120-d280-477b-851d-7687c2394373/opts: Permission denied
Aug 21 11:10:49 ctrl-stg dnsmasq[4945]: read /var/lib/neutron/dhcp/09ae9120-d280-477b-851d-7687c2394373/opts

unconfined_u:system_r:dnsmasq_t:s0 nobody 5865  0.0  0.0  12880   772 ?        S    11:25   0:00 dnsmasq --no-hosts --no-resolv --strict-order --bind-interfaces --interface=tape560c086-b2 --except-interface=lo --pid-file=/var/lib/neutron/dhcp/09ae9120-d280-477b-851d-7687c2394373/pid --dhcp-hostsfile=/var/lib/neutron/dhcp/09ae9120-d280-477b-851d-7687c2394373/host --dhcp-optsfile=/var/lib/neutron/dhcp/09ae9120-d280-477b-851d-7687c2394373/opts --dhcp-script=/usr/bin/neutron-dhcp-agent-dnsmasq-lease-update --leasefile-ro --dhcp-range=tag0,192.168.0.0,static,120s --conf-file= --domain=openstacklocal
unconfined_u:system_r:dnsmasq_t:s0 root   5866  0.0  0.0  12880   208 ?        S    11:25   0:00  \_ dnsmasq --no-hosts --no-resolv --strict-order --bind-interfaces --interface=tape560c086-b2 --except-interface=lo --pid-file=/var/lib/neutron/dhcp/09ae9120-d280-477b-851d-7687c2394373/pid --dhcp-hostsfile=/var/lib/neutron/dhcp/09ae9120-d280-477b-851d-7687c2394373/host --dhcp-optsfile=/var/lib/neutron/dhcp/09ae9120-d280-477b-851d-7687c2394373/opts --dhcp-script=/usr/bin/neutron-dhcp-agent-dnsmasq-lease-update --leasefile-ro --dhcp-range=tag0,192.168.0.0,static,120s --conf-file= --domain=openstacklocal

# ls -Z /var/lib/neutron/
drwxr-xr-x. neutron neutron unconfined_u:object_r:var_lib_t:s0 dhcp
drwxr-xr-x. neutron neutron system_u:object_r:var_lib_t:s0   external
drwx------. neutron neutron unconfined_u:object_r:var_lib_t:s0 keystone-signing
drwxr-xr-x. neutron neutron system_u:object_r:var_lib_t:s0   lock
srwxr-xr-x. neutron neutron system_u:object_r:var_lib_t:s0   metadata_proxy
# ls -Z /var/lib/neutron/dhcp/
drwxr-xr-x. neutron neutron unconfined_u:object_r:var_lib_t:s0 09ae9120-d280-477b-851d-7687c2394373
srwxr-xr-x. neutron neutron unconfined_u:object_r:var_lib_t:s0 lease_relay
# ls -Z /var/lib/neutron/dhcp/09ae9120-d280-477b-851d-7687c2394373/
-rw-r--r--. neutron neutron unconfined_u:object_r:var_lib_t:s0 host
-rw-r--r--. neutron neutron unconfined_u:object_r:var_lib_t:s0 interface
-rw-r--r--. neutron neutron unconfined_u:object_r:var_lib_t:s0 opts
-rw-r--r--. root    root    unconfined_u:object_r:dnsmasq_lease_t:s0 pid

See also the attached audit.log.gz (grep for dnsmasq for this issue - there also seems to be an issue around neutron-ns-meta and ifconfig for which I haven't found any consequences yet).

Comment 1 lpeer 2013-08-21 11:50:05 UTC

*** This bug has been marked as a duplicate of bug 996776 ***


Note You need to log in before you can comment on or make changes to this bug.