Thursday, December 11, 2014

Testing Juno on CentOS 7 with SELINUX enforced

AVC denial during packstack run :-


  

****************************************************************************
Attempt restart neutron-dhcp-agent.service with dnsmasq enabled
****************************************************************************

[root@juno ~]# systemctl status  neutron-dhcp-agent.service -l
neutron-dhcp-agent.service - OpenStack Neutron DHCP Agent
   Loaded: loaded (/usr/lib/systemd/system/neutron-dhcp-agent.service; enabled)
   Active: active (running) since Thu 2014-12-11 08:17:45 EST; 23s ago
 Main PID: 10255 (neutron-dhcp-ag)
   CGroup: /system.slice/neutron-dhcp-agent.service
           └─10255 /usr/bin/python /usr/bin/neutron-dhcp-agent --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/dhcp_agent.ini --log-file /var/log/neutron/dhcp-agent.log

Dec 11 08:17:45 juno.localdomain systemd[1]: Starting OpenStack Neutron DHCP Agent...
Dec 11 08:17:45 juno.localdomain systemd[1]: Started OpenStack Neutron DHCP Agent.
Dec 11 08:17:47 juno.localdomain sudo[10266]: neutron : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/neutron-rootwrap /etc/neutron/rootwrap.conf ip netns exec qdhcp-ccfc4bb1-696d-4381-91d7-28ce7c9cb009 ip link set tap6d7e5854-58 up
Dec 11 08:17:48 juno.localdomain sudo[10269]: neutron : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/neutron-rootwrap /etc/neutron/rootwrap.conf ip netns exec qdhcp-ccfc4bb1-696d-4381-91d7-28ce7c9cb009 ip addr show tap6d7e5854-58 permanent scope global
Dec 11 08:17:48 juno.localdomain sudo[10276]: neutron : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/neutron-rootwrap /etc/neutron/rootwrap.conf ip netns exec qdhcp-ccfc4bb1-696d-4381-91d7-28ce7c9cb009 ip route list dev tap6d7e5854-58 scope link
Dec 11 08:17:48 juno.localdomain sudo[10285]: neutron : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/neutron-rootwrap /etc/neutron/rootwrap.conf ip netns exec qdhcp-ccfc4bb1-696d-4381-91d7-28ce7c9cb009 ip route list dev tap6d7e5854-58
Dec 11 08:17:48 juno.localdomain sudo[10289]: neutron : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/neutron-rootwrap /etc/neutron/rootwrap.conf ip netns exec qdhcp-ccfc4bb1-696d-4381-91d7-28ce7c9cb009 env NEUTRON_NETWORK_ID=ccfc4bb1-696d-4381-91d7-28ce7c9cb009 dnsmasq --no-hosts --no-resolv --strict-order --bind-interfaces --interface=tap6d7e5854-58 --except-interface=lo --pid-file=/var/lib/neutron/dhcp/ccfc4bb1-696d-4381-91d7-28ce7c9cb009/pid --dhcp-hostsfile=/var/lib/neutron/dhcp/ccfc4bb1-696d-4381-91d7-28ce7c9cb009/host --addn-hosts=/var/lib/neutron/dhcp/ccfc4bb1-696d-4381-91d7-28ce7c9cb009/addn_hosts --dhcp-optsfile=/var/lib/neutron/dhcp/ccfc4bb1-696d-4381-91d7-28ce7c9cb009/opts --leasefile-ro --dhcp-range=set:tag0,10.0.0.0,static,86400s --dhcp-lease-max=256 --conf-file=/etc/neutron/dnsmasq.conf --domain=openstacklocal
Dec 11 08:17:49 juno.localdomain dnsmasq[10291]: cannot open log /var/log/neutron/dnsmasq.log: Permission denied
Dec 11 08:17:49 juno.localdomain dnsmasq[10291]: FAILED to start up

*************************************************
 cat  /var/log/audit/audit.log | grep -i avc
************************************************

type=USER_AVC msg=audit(1418301241.093:22175): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1418302563.923:26020): avc:  denied  { signal } for  pid=11874 comm="keystone-all" scontext=system_u:system_r:keystone_t:s0 tcontext=system_u:system_r:keystone_t:s0 tclass=process
type=AVC msg=audit(1418302655.746:250): avc:  denied  { search } for  pid=4126 comm="sudo" name="sss" dev="dm-1" ino=136223202 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1418302655.754:252): avc:  denied  { search } for  pid=4126 comm="sudo" name="sss" dev="dm-1" ino=136223202 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1418302655.754:253): avc:  denied  { search } for  pid=4126 comm="sudo" name="sss" dev="dm-1" ino=136223202 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1418302655.754:254): avc:  denied  { search } for  pid=4126 comm="sudo" name="sss" dev="dm-1" ino=136223202 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1418302655.754:255): avc:  denied  { search } for  pid=4126 comm="sudo" name="sss" dev="dm-1" ino=136223202 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1418302655.968:260): avc:  denied  { search } for  pid=4128 comm="nova-rootwrap" name=".local" dev="dm-1" ino=138303468 scontext=system_u:system_r:nova_api_t:s0 tcontext=unconfined_u:object_r:gconf_home_t:s0 tclass=dir
type=AVC msg=audit(1418302656.488:272): avc:  denied  { search } for  pid=4138 comm="sudo" name="sss" dev="dm-1" ino=136223202 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1418302656.496:274): avc:  denied  { search } for  pid=4138 comm="sudo" name="sss" dev="dm-1" ino=136223202 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1418302656.496:275): avc:  denied  { search } for  pid=4138 comm="sudo" name="sss" dev="dm-1" ino=136223202 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1418302656.496:276): avc:  denied  { search } for  pid=4138 comm="sudo" name="sss" dev="dm-1" ino=136223202 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1418302656.496:277): avc:  denied  { search } for  pid=4138 comm="sudo" name="sss" dev="dm-1" ino=136223202 scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1418302656.543:280): avc:  denied  { search } for  pid=4139 comm="nova-rootwrap" name=".local" dev="dm-1" ino=138303468 scontext=system_u:system_r:nova_api_t:s0 tcontext=unconfined_u:object_r:gconf_home_t:s0 tclass=dir
type=AVC msg=audit(1418303504.663:3261): avc:  denied  { search } for  pid=8861 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir
type=AVC msg=audit(1418303535.870:3369): avc:  denied  { search } for  pid=8986 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir
type=AVC msg=audit(1418303567.129:3480): avc:  denied  { search } for  pid=9086 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir
type=AVC msg=audit(1418303598.400:3593): avc:  denied  { search } for  pid=9217 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir
type=AVC msg=audit(1418303629.511:3716): avc:  denied  { search } for  pid=9368 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir
type=AVC msg=audit(1418303660.889:3834): avc:  denied  { search } for  pid=9503 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir
type=AVC msg=audit(1418303692.339:3938): avc:  denied  { search } for  pid=9626 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir
type=AVC msg=audit(1418303723.502:4053): avc:  denied  { search } for  pid=9767 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir
type=AVC msg=audit(1418303754.847:4159): avc:  denied  { search } for  pid=9875 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir
type=AVC msg=audit(1418303786.015:4272): avc:  denied  { search } for  pid=9984 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir
type=AVC msg=audit(1418303817.131:4378): avc:  denied  { search } for  pid=10089 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir
type=AVC msg=audit(1418303848.215:4491): avc:  denied  { search } for  pid=10198 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir
type=AVC msg=audit(1418303869.080:4574): avc:  denied  { search } for  pid=10293 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir
type=AVC msg=audit(1418303900.477:4690): avc:  denied  { search } for  pid=10425 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir
type=AVC msg=audit(1418303931.657:4793): avc:  denied  { search } for  pid=10542 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir
type=AVC msg=audit(1418303962.808:4911): avc:  denied  { search } for  pid=10669 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir
type=AVC msg=audit(1418303993.921:5012): avc:  denied  { search } for  pid=10782 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir
type=AVC msg=audit(1418304025.148:5137): avc:  denied  { search } for  pid=10916 comm="dnsmasq" name="neutron" dev="dm-1" ino=204294423 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:neutron_log_t:s0 tclass=dir

*******************
Disabling SELINUX
*******************

[root@juno ~]# systemctl status  neutron-dhcp-agent.service
neutron-dhcp-agent.service - OpenStack Neutron DHCP Agent
   Loaded: loaded (/usr/lib/systemd/system/neutron-dhcp-agent.service; enabled)
   Active: active (running) since Thu 2014-12-11 08:25:52 EST; 14s ago
 Main PID: 12515 (neutron-dhcp-ag)
   CGroup: /system.slice/neutron-dhcp-agent.service
           ├─12515 /usr/bin/python /usr/bin/neutron-dhcp-agent --config-file /usr/share/neutron/neutro...
           └─12542 dnsmasq --no-hosts --no-resolv --strict-order --bind-interfaces --interface=tap6d7e...

Dec 11 08:25:52 juno.localdomain systemd[1]: Starting OpenStack Neutron DHCP Agent...
Dec 11 08:25:52 juno.localdomain systemd[1]: Started OpenStack Neutron DHCP Agent.
Dec 11 08:25:53 juno.localdomain sudo[12526]: neutron : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/... up
Dec 11 08:25:53 juno.localdomain sudo[12529]: neutron : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/...bal
Dec 11 08:25:54 juno.localdomain sudo[12532]: neutron : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/...ink
Dec 11 08:25:54 juno.localdomain sudo[12535]: neutron : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/...-58
Dec 11 08:25:54 juno.localdomain sudo[12538]: neutron : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/...ace
Dec 11 08:25:56 juno.localdomain python[12544]: SELinux is preventing /usr/sbin/dnsmasq from write ...y .
                                               
                                                *****  Plugin catchall (100. confidence) suggests   **...
Dec 11 08:25:56 juno.localdomain python[12544]: SELinux is preventing /usr/sbin/dnsmasq from write ...y .
                                               
                                                *****  Plugin catchall (100. confidence) suggests   **...
Dec 11 08:25:56 juno.localdomain python[12544]: SELinux is preventing /usr/sbin/dnsmasq from write ...y .
                                               
                                                *****  Plugin catchall (100. confidence) suggests   **...
Dec 11 08:25:56 juno.localdomain python[12544]: SELinux is preventing /usr/sbin/dnsmasq from write ...y .
                                               
                                                *****  Plugin catchall (100. confidence) suggests   **...
Dec 11 08:25:56 juno.localdomain python[12544]: SELinux is preventing /usr/sbin/dnsmasq from setatt...e .
                                               
                                                *****  Plugin catchall (100. confidence) suggests   **...
Hint: Some lines were ellipsized, use -l to show in full.