tripleo

Wrong context for /var/run/openvswitch directory

Bug #1853844 reported by Cédric Jeanneret on 2019-11-25

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	Medium	Cédric Jeanneret

Bug Description

[Discovered here: https://bugzilla.redhat.com/show_bug.cgi?id=1776326 ]

When deploying with DPDK, openvswitch has denials when it wants to write in /var/run/openvswitch.

More details in the mentioned BZ.

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-11-25: Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.opendev.org/695903

Changed in tripleo:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-11-25: Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/695903
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=af80a0d914d9663079ad30c7dcdf73e1060c33e7
Submitter: Zuul
Branch: master

commit af80a0d914d9663079ad30c7dcdf73e1060c33e7
Author: Cédric Jeanneret <email address hidden>
Date: Mon Nov 25 14:43:25 2019 +0100

Drop the SELinux flags for openvswitch /var/run directory

    Enforcing re-labelling (:z) creates some issues when we are deploying
    with DPDK.
    A new SELinux policy has been added[1] in openstack-selinux, allowing
    container_t to actually write in openvswitch_file_t.

The "shared" flag isn't of any use in this context, because we don't
have any sub-mounts[2] in there.

Also dropped a duplicate mount (/var/run == /run)

    This issue is related to the following BZ:
    https://bugzilla.redhat.com/show_bug.cgi?id=1772025
    https://bugzilla.redhat.com/show_bug.cgi?id=1776326

[1] https://github.com/redhat-openstack/openstack-selinux/pull/46
[2] https://docs.docker.com/storage/bind-mounts/#configure-bind-propagation

Change-Id: I216d7899c569419fdee7e30cc11af1d68d0f7fa3
Closes-Bug: #1853844

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-11-26: Fix proposed to tripleo-heat-templates (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/696024

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-11-26: Change abandoned on tripleo-heat-templates (stable/train)

Change abandoned by Cédric Jeanneret (Tengu) (<email address hidden>) on branch: stable/train
Review: https://review.opendev.org/696024
Reason: brain fart - we allowed openvswitch to access container_file_t - hence we still need the :z flag for container access...

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-11-27: Fix included in openstack/tripleo-heat-templates 12.0.0

This issue was fixed in the openstack/tripleo-heat-templates 12.0.0 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

redhat-bugs #1772025
[ON_QA] Edit
redhat-bugs #1776326
[NEW] Edit

Bug watches keep track of this bug in other bug trackers.