999447 – dnsmasq can't read host and opts files due to SELinux issues

RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/

Bug 999447 - dnsmasq can't read host and opts files due to SELinux issues

Summary: dnsmasq can't read host and opts files due to SELinux issues

Keywords:
Status:	CLOSED DUPLICATE of bug 996776
Alias:	None
Product:	RDO
Classification:	Community
Component:	openstack-neutron
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	RHOS Maint
QA Contact:	Ofer Blaut
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-08-21 10:35 UTC by Sandro Mathys
Modified:	2016-04-26 17:16 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-08-21 11:50:05 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
audit.log of an affected system (63.19 KB, application/gzip) 2013-08-21 10:35 UTC, Sandro Mathys	no flags	Details
View All

Description Sandro Mathys 2013-08-21 10:35:49 UTC

Created attachment 788802 [details]
audit.log of an affected system

Description of problem:
Having configured Havana-2 with Neutron (using ovs/netns/gre), dnsmasq won't be able to hand out IP addresses because it can't read host and opts files.

Version-Release number of selected component (if applicable):
openstack-neutron-2013.2-0.3.b2.el6.noarch
openstack-neutron-openvswitch-2013.2-0.3.b2.el6.noarch
dnsmasq-2.48-13.el6.x86_64
selinux-policy-targeted-3.7.19-195.el6_4.12.noarch

How reproducible:
Always.

Steps to Reproduce:
1. Install and configure Neutron
2. Configure a network and subnet
3. Launch a guest

Actual results:
No IP over DHCP, dnsmasq having access problems, i.e. permission denied on host and opts files.

Expected results:
IP over DHCP.

Additional info:
Aug 21 11:10:49 ctrl-stg dnsmasq[4945]: cannot read /var/lib/neutron/dhcp/09ae9120-d280-477b-851d-7687c2394373/host: Permission denied
Aug 21 11:10:49 ctrl-stg dnsmasq[4945]: read /var/lib/neutron/dhcp/09ae9120-d280-477b-851d-7687c2394373/host
Aug 21 11:10:49 ctrl-stg dnsmasq[4945]: cannot read /var/lib/neutron/dhcp/09ae9120-d280-477b-851d-7687c2394373/opts: Permission denied
Aug 21 11:10:49 ctrl-stg dnsmasq[4945]: read /var/lib/neutron/dhcp/09ae9120-d280-477b-851d-7687c2394373/opts

unconfined_u:system_r:dnsmasq_t:s0 nobody 5865  0.0  0.0  12880   772 ?        S    11:25   0:00 dnsmasq --no-hosts --no-resolv --strict-order --bind-interfaces --interface=tape560c086-b2 --except-interface=lo --pid-file=/var/lib/neutron/dhcp/09ae9120-d280-477b-851d-7687c2394373/pid --dhcp-hostsfile=/var/lib/neutron/dhcp/09ae9120-d280-477b-851d-7687c2394373/host --dhcp-optsfile=/var/lib/neutron/dhcp/09ae9120-d280-477b-851d-7687c2394373/opts --dhcp-script=/usr/bin/neutron-dhcp-agent-dnsmasq-lease-update --leasefile-ro --dhcp-range=tag0,192.168.0.0,static,120s --conf-file= --domain=openstacklocal
unconfined_u:system_r:dnsmasq_t:s0 root   5866  0.0  0.0  12880   208 ?        S    11:25   0:00  \_ dnsmasq --no-hosts --no-resolv --strict-order --bind-interfaces --interface=tape560c086-b2 --except-interface=lo --pid-file=/var/lib/neutron/dhcp/09ae9120-d280-477b-851d-7687c2394373/pid --dhcp-hostsfile=/var/lib/neutron/dhcp/09ae9120-d280-477b-851d-7687c2394373/host --dhcp-optsfile=/var/lib/neutron/dhcp/09ae9120-d280-477b-851d-7687c2394373/opts --dhcp-script=/usr/bin/neutron-dhcp-agent-dnsmasq-lease-update --leasefile-ro --dhcp-range=tag0,192.168.0.0,static,120s --conf-file= --domain=openstacklocal

# ls -Z /var/lib/neutron/
drwxr-xr-x. neutron neutron unconfined_u:object_r:var_lib_t:s0 dhcp
drwxr-xr-x. neutron neutron system_u:object_r:var_lib_t:s0   external
drwx------. neutron neutron unconfined_u:object_r:var_lib_t:s0 keystone-signing
drwxr-xr-x. neutron neutron system_u:object_r:var_lib_t:s0   lock
srwxr-xr-x. neutron neutron system_u:object_r:var_lib_t:s0   metadata_proxy
# ls -Z /var/lib/neutron/dhcp/
drwxr-xr-x. neutron neutron unconfined_u:object_r:var_lib_t:s0 09ae9120-d280-477b-851d-7687c2394373
srwxr-xr-x. neutron neutron unconfined_u:object_r:var_lib_t:s0 lease_relay
# ls -Z /var/lib/neutron/dhcp/09ae9120-d280-477b-851d-7687c2394373/
-rw-r--r--. neutron neutron unconfined_u:object_r:var_lib_t:s0 host
-rw-r--r--. neutron neutron unconfined_u:object_r:var_lib_t:s0 interface
-rw-r--r--. neutron neutron unconfined_u:object_r:var_lib_t:s0 opts
-rw-r--r--. root    root    unconfined_u:object_r:dnsmasq_lease_t:s0 pid

See also the attached audit.log.gz (grep for dnsmasq for this issue - there also seems to be an issue around neutron-ns-meta and ifconfig for which I haven't found any consequences yet).

Comment 1 lpeer 2013-08-21 11:50:05 UTC


*** This bug has been marked as a duplicate of bug 996776 ***

Note You need to log in before you can comment on or make changes to this bug.