事象内容

OpenStack VPN のステータスが PENDING_CREATE のままで、Active にならない。

[root@controller ~]# openstack vpn ipsec site connection list
+--------------------------------------+--------+----------------+--------------------------+----------------+
| ID                                   | Name   | Peer Address   | Authentication Algorithm | Status         |
+--------------------------------------+--------+----------------+--------------------------+----------------+
| a4e355ad-e2f2-43af-a313-a3aff45d3ca2 | conn-2 | 192.168.25.123 | psk                      | PENDING_CREATE |
| e2452324-210f-4853-b145-4277dd674313 | conn-1 | 192.168.25.102 | psk                      | PENDING_CREATE |
+--------------------------------------+--------+----------------+--------------------------+----------------+
[root@controller ~]# 

audit ログ( /var/log/audit/audit.log )を確認すると、以下のようなログが出力されている。

type=AVC msg=audit(1545401736.312:429): avc:  denied  { execute } for  pid=9692 comm="neutron-vpn-net" 〜
[root@controller ~]# tail -F /var/log/audit/audit.log
type=AVC msg=audit(1545401736.312:429): avc:  denied  { execute } for  pid=9692 comm="neutron-vpn-net" name="mount" dev="dm-0" ino=178132 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1545401736.312:429): arch=c000003e syscall=59 success=no exit=-13 a0=265f0c0 a1=2403aa0 a2=2673d00 a3=2 items=0 ppid=9683 pid=9692 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="neutron-vpn-net" exe="/usr/bin/python2.7" subj=system_u:system_r:neutron_t:s0 key=(null)
type=PROCTITLE msg=audit(1545401736.312:429): proctitle=2F7573722F62696E2F707974686F6E32002F62696E2F6E657574726F6E2D76706E2D6E65746E732D77726170706572002D2D6D6F756E745F70617468733D2F6574633A2F7661722F6C69622F6E657574726F6E2F69707365632F35623733383236372D396565382D346330342D383538382D6330366265626463663430352F65
type=AVC msg=audit(1545401736.313:430): avc:  denied  { execute } for  pid=9692 comm="neutron-vpn-net" name="mount" dev="dm-0" ino=178132 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1545401736.313:430): arch=c000003e syscall=59 success=no exit=-13 a0=265f0c0 a1=2403aa0 a2=25cb6d0 a3=7f0ac3f602a2 items=0 ppid=9683 pid=9692 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="neutron-vpn-net" exe="/usr/bin/python2.7" subj=system_u:system_r:neutron_t:s0 key=(null)
type=PROCTITLE msg=audit(1545401736.313:430):

解決方法

SELinux のセキュリティーが原因であるため、SELinux でアクセスを許可する。SELinux でアクセスを許可しても問題が解決されない場合には、別の要因である可能性があります。

messages ログ( /var/log/messages )を確認し、SELinux で拒否されている原因と問題解決の方法を調べる。調べるためには、setroubleshoot ツールがインストールされている必要があります。

[root@controller ~]# tail -F /var/log/messages
Dec 21 23:59:23 controller python: SELinux is preventing /usr/bin/python2.7 from execute_no_trans access on the file /usr/bin/mount.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that python2.7 should be allowed execute_no_trans access on the mount file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'neutron-vpn-net' --raw | audit2allow -M my-neutronvpnnet#012# semodule -i my-neutronvpnnet.pp#012
Dec 21 23:59:25 controller chronyd[1770]: Selected source 133.243.238.244
Dec 21 23:59:26 controller setroubleshoot: SELinux is preventing /usr/bin/python2.7 from execute_no_trans access on the file /usr/bin/mount. For complete SELinux messages run: sealert -l 226bde0f-228d-47d1-a75d-9827d13b7d22
Dec 21 23:59:26 controller python: SELinux is preventing /usr/bin/python2.7 from execute_no_trans access on the file /usr/bin/mount.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that python2.7 should be allowed execute_no_trans access on the mount file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'neutron-vpn-net' --raw | audit2allow -M my-neutronvpnnet#012# semodule -i my-neutronvpnnet.pp#012
Dec 21 23:59:26 controller setroubleshoot: SELinux is preventing /usr/bin/python2.7 from execute_no_trans access on the file /usr/bin/mount. For complete SELinux messages run: sealert -l 226bde0f-228d-47d1-a75d-9827d13b7d22

SELinux でアクセスを許可する。

[root@controller ~]# ausearch -c 'neutron-vpn-net' --raw | audit2allow -M my-neutronvpnnet
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-neutronvpnnet.pp

[root@controller ~]#
[root@controller ~]# semodule -i my-neutronvpnnet.pp
[root@controller ~]#