Project

General

Profile

Bug #15640

OpenStack Neutron service SELinux denial during provisioning

Added by Lukas Zapletal over 4 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Category:
Compute resources
Target version:
-
Difficulty:
Triaged:
Bugzilla link:
Fixed in Releases:
Found in Releases:

Description

Neutron port 9696 is missing in our policy. It looks like it is present in both RHEL6 and RHEL7 (tested with 6.6 and 7.2) so easy fix.

Steps to Reproduce:
1.Provision a 'New Host' on OpenStack, observe the /var/log/audit/audit.log, to see the SELinux denial issues.

Actual results:
In /var/log/audit/audit.log

type=AVC msg=audit(1467659098.220:1559): avc: denied { name_connect } for pid=11002 comm="diagnostic_con*" dest=9696 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:neutron_port_t:s0 tclass=tcp_socket


Related issues

Related to SELinux - Bug #16263: corenet_tcp_connect_neutron_port not available on EL6.5 buildrootClosed2016-08-24

Associated revisions

Revision 264951f8 (diff)
Added by Lukas Zapletal over 4 years ago

Fixes #15640 - added neutron port

History

#1 Updated by The Foreman Bot over 4 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman-selinux/pull/59 added

#2 Updated by Daniel Lobato Garcia over 4 years ago

  • Target version set to 117

#3 Updated by Daniel Lobato Garcia over 4 years ago

  • Target version changed from 117 to 1.6.2

#4 Updated by Anonymous over 4 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#5 Updated by Dominic Cleal over 4 years ago

  • Legacy Backlogs Release (now unused) set to 175

#6 Updated by Dominic Cleal over 4 years ago

  • Related to Bug #16263: corenet_tcp_connect_neutron_port not available on EL6.5 buildroot added

#7 Updated by Greg Sutcliffe over 2 years ago

  • Target version deleted (1.12.2)

Also available in: Atom PDF