Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 1359216

Summary: openstack-selinux does not allow neutron to access /proc/self/ns/net (centos)
Product: [Community] RDO Reporter: Gema Gomez <gema.gomez-solano>
Component: openstack-selinuxAssignee: Lon Hohberger <lhh>
Status: CLOSED DUPLICATE QA Contact: Ofer Blaut <oblaut>
Severity: medium Docs Contact:
Priority: unspecified    
Version: MitakaCC: dhill, gema.gomez-solano, mjuszkie, srevivo
Target Milestone: ---   
Target Release: trunk   
Hardware: aarch64   
OS: Linux   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-17 15:35:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Gema Gomez 2016-07-22 14:08:20 UTC
Description of problem:
OpenStack with packstack on centos and neutron was not able to function properly due to:
 /var/log/neutron/dhcp-agent.log:2016-07-03 13:20:04.605 1600 ERROR neutron.agent.linux.dhcp RuntimeError: Exit code: 1
; Stdin: ; Stdout: ; Stderr: open("/proc/self/ns/net"): Permission denied

Version-Release number of selected component (if applicable):
Package openstack-selinux-0.7.2-1.el7.noarch 

How reproducible:
Every time. 

Steps to Reproduce:
Installed packstack following RDO instructions on AArch64.

Used the following repo for AArch64:

Actual results:Neutron was not allowed to access /proc/self/ns/net

Expected Results: Neutron should be allowed to access /proc/self/ns/net

Additional info:
After adding the following rules the error went away:
# cat neutron_fix_read.te  

module neutron_fix_read 1.0;

require {
        type unlabeled_t;
        type neutron_t;
        type proc_net_t;
        class file { read open };

#============= neutron_t ==============
allow neutron_t unlabeled_t:file open;
allow neutron_t unlabeled_t:file read;

allow neutron_t proc_net_t:file open;
allow neutron_t proc_net_t:file read;

Comment 1 David Hill 2016-09-06 03:03:13 UTC
I'm not able to reproduce this with Mitaka on RHEL 7.2 but I definitely have this issue with Newton on RHEL 7.2.

Comment 2 David Hill 2016-09-06 03:03:32 UTC

Comment 3 David Hill 2016-09-06 03:04:17 UTC
Hello Gema,

   Which kernel version are you using?  Where does it come from?

Thank you very much,


Comment 4 Gema Gomez 2016-09-06 05:08:03 UTC
I was using the kernel from the linaro overlay:

I don't have this system deployed anymore, but based on the date of this bug and how I was testing, the kernel I was using was kernel-devel-4.4.11-reference.132.aarch64.rpm from this repo. 

Hope that helps.

Comment 5 Lon Hohberger 2017-02-17 15:35:41 UTC

*** This bug has been marked as a duplicate of bug 1373321 ***