Bug 1232892

Summary: Merge Ipxe tripleo selinux policy into openstack-selinux
Product: Red Hat OpenStack Reporter: Ryan Hallisey <rhallise>
Component: openstack-selinuxAssignee: Ryan Hallisey <rhallise>
Status: CLOSED ERRATA QA Contact: Omri Hochman <ohochman>
Severity: unspecified Docs Contact:
Priority: high    
Version: DirectorCC: jslagle, lhh, mgrepl, rhallise, rrosa, sasha, yeylon
Target Milestone: gaKeywords: OtherQA, Triaged
Target Release: 7.0 (Kilo)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-selinux-0.6.34-1.el7ost Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-05 13:27:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ryan Hallisey 2015-06-17 18:32:59 UTC 
Merge tripleo selinux element into openstack-selinux

module ironic-ipxe 1.0;
require {
type httpd_t;
type tftpdir_t;
class file { read getattr open };
}
#============= httpd_t ==============
allow httpd_t tftpdir_t:file { read getattr open };
Comment 3 Ryan Hallisey 2015-06-18 15:19:51 UTC 
Additional policy needed for openstack-selinux so that we can remove tripleo selinux.  All set to build just need acks.
Comment 4 Ryan Hallisey 2015-06-23 14:54:00 UTC 
whoops.  Ignore the blocker flag reset.
Comment 7 Omri Hochman 2015-07-22 19:42:37 UTC 
Verified openstack-selinux-0.6.37-1.el7ost.noarch : 

According to comment #6
Added selinux to "exclude-element : 

    "exclude-element": [
      "pip-and-virtualenv",
      "ironic",
      "os-collect-config",
      "selinux",
      "openstack-clients"
    ],

(1) successful deployment of undercloud: 
#############################################################################
instack-install-undercloud complete.

(2) successful deployment of overcloud :
DEBUG: os_cloud_config.utils.clients Creating nova client.
Overcloud Endpoint: http://10.19.184.50:5000/v2.0/
Overcloud Deployed
DEBUG: openstackclient.shell clean_up DeployOvercloud
Comment 8 Ryan Hallisey 2015-07-23 19:39:59 UTC 
    "exclude-element": [
      "pip-and-virtualenv",
      "ironic",
      "os-collect-config",
      "selinux",
      "ipxe",
      "openstack-clients"
    ],

This is actually still applying the ipxe rule.  You need to exclude the two elements linked below.  I think the above will do it.

https://github.com/rdo-management/instack-undercloud/tree/master/elements/ipxe/selinux

https://github.com/rdo-management/instack-undercloud/blob/master/elements/ipxe/os-refresh-config/configure.d/00-apply-selinux-policy
Comment 9 Omri Hochman 2015-07-28 19:43:27 UTC 
Following the instructions on Comment #8 , probably caused to following side effect :

1) this file was missing /tftpboot/undionly.kpxe
2) the http wasn't running on port 8088

we need to find another way to verify..
Comment 11 errata-xmlrpc 2015-08-05 13:27:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2015:1548