kolla-ansible

selinux blocks libvirt from spawning instances

Bug #1661500 reported by Chris Liles on 2017-02-03

This bug report is a duplicate of: Bug #1797277: SELinux is disabled for Kolla deployments. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	kolla-ansible	Confirmed	Wishlist	Unassigned

Bug Description

On docker 1.13.0 with a fresh install from master I am unable to spawn any instances.
Disabling selinux is a workaround.
Centos 7 with binary.

Attached is nova and audit logs.

Revision history for this message

Chris Liles (christopherliles) wrote on 2017-02-03:

audit.log Edit (17.3 KiB, text/plain)

Revision history for this message

Chris Liles (christopherliles) wrote on 2017-02-03:

nova-compute.log Edit (17.6 KiB, text/html)

Jeffrey Zhang (jeffrey4l) on 2017-02-03

Changed in kolla-ansible:
status:	New → Confirmed

Revision history for this message

Eduardo Gonzalez (egonzalez90) wrote on 2017-02-03:

This seems like a selinux bug in selinux-policy or docker-selinux.

type=USER_AVC msg=audit(1486115407.138:914): pid=656 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.27 spid=10615 tpid=17369 scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.

I was able to fix it doing the following steps:
#check what selinux recomendations to apply.
audit2allow -a
#Create a custom selinux policy
audit2allow -a -M custompmachinedpolicy
#Apply new policy
semodule -i custompmachinedpolicy.pp