Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1359216 - openstack-selinux does not allow neutron to access /proc/self/ns/net (centos)
Summary: openstack-selinux does not allow neutron to access /proc/self/ns/net (centos)
Keywords:
Status: CLOSED DUPLICATE of bug 1373321
Alias: None
Product: RDO
Classification: Community
Component: openstack-selinux
Version: Mitaka
Hardware: aarch64
OS: Linux
unspecified
medium
Target Milestone: ---
: trunk
Assignee: Lon Hohberger
QA Contact: Ofer Blaut
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-22 14:08 UTC by Gema Gomez
Modified: 2017-02-17 15:35 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-02-17 15:35:41 UTC


Attachments (Terms of Use)

Description Gema Gomez 2016-07-22 14:08:20 UTC
Description of problem:
OpenStack with packstack on centos and neutron was not able to function properly due to:
 /var/log/neutron/dhcp-agent.log:2016-07-03 13:20:04.605 1600 ERROR neutron.agent.linux.dhcp RuntimeError: Exit code: 1
; Stdin: ; Stdout: ; Stderr: open("/proc/self/ns/net"): Permission denied

Version-Release number of selected component (if applicable):
Package openstack-selinux-0.7.2-1.el7.noarch 

How reproducible:
Every time. 

Steps to Reproduce:
Installed packstack following RDO instructions on AArch64.

Used the following repo for AArch64:
http://people.linaro.org/~marcin.juszkiewicz/centos7/openstack-mitaka/

Actual results:Neutron was not allowed to access /proc/self/ns/net

Expected Results: Neutron should be allowed to access /proc/self/ns/net


Additional info:
After adding the following rules the error went away:
# cat neutron_fix_read.te  

module neutron_fix_read 1.0;

require {
        type unlabeled_t;
        type neutron_t;
        type proc_net_t;
        class file { read open };
}

#============= neutron_t ==============
allow neutron_t unlabeled_t:file open;
allow neutron_t unlabeled_t:file read;

allow neutron_t proc_net_t:file open;
allow neutron_t proc_net_t:file read;

Comment 1 David Hill 2016-09-06 03:03:13 UTC
I'm not able to reproduce this with Mitaka on RHEL 7.2 but I definitely have this issue with Newton on RHEL 7.2.

Comment 2 David Hill 2016-09-06 03:03:32 UTC
See https://bugzilla.redhat.com/show_bug.cgi?id=1373321

Comment 3 David Hill 2016-09-06 03:04:17 UTC
Hello Gema,

   Which kernel version are you using?  Where does it come from?

Thank you very much,

Dave

Comment 4 Gema Gomez 2016-09-06 05:08:03 UTC
I was using the kernel from the linaro overlay:
http://repo.linaro.org/rpm/linaro-overlay/centos-7/repo/

I don't have this system deployed anymore, but based on the date of this bug and how I was testing, the kernel I was using was kernel-devel-4.4.11-reference.132.aarch64.rpm from this repo. 

Hope that helps.

Comment 5 Lon Hohberger 2017-02-17 15:35:41 UTC

*** This bug has been marked as a duplicate of bug 1373321 ***


Note You need to log in before you can comment on or make changes to this bug.