Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/

Bug 1274060

Summary: [SELinux][RHEL7] openstack-ironic-inspector-dnsmasq.service fails to start with SELinux enabled
Product: [Community] RDO Reporter: Joe Talerico <jtaleric>
Component: rdo-managerAssignee: Hugh Brock <hbrock>
Status: CLOSED EOL QA Contact: Shai Revivo <srevivo>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: LibertyCC: jtaleric, mburns, rhallise
Target Milestone: ---   
Target Release: Kilo   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-19 15:38:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joe Talerico 2015-10-21 19:37:14 UTC 
With SELinux enabled I am unable to install the undercloud due to openstack-ironic-inspector-dnsmasq service failing to start.

Packages (SELinux):
openstack-selinux-0.6.41-1.el7.noarch

Release:
Red Hat Enterprise Linux Server release 7.1 (Maipo)
3.10.0-229.el7.x86_64

type=AVC msg=audit(1445455304.383:1354): avc:  denied  { read } for  pid=33372 comm="dnsmasq" name="tftpboot" dev="dm-1" ino=7516527816 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=dir
Comment 1 Ryan Hallisey 2015-10-22 14:41:41 UTC 
Where is the dir located that dnsmasq is reading from? default_t is given to a top level created dir. Ex) `mkdir /mydir` will have the label default_t.
So if you are creating say a config file directory or a log file directory in '/', then the type is going to be set to default_t.  You will need to run a `restorecon -r /mydir` and see if that fixes the label.  I don't think the solution for this should include an allow rule for default_t.
Comment 2 Joe Talerico 2015-10-22 16:35:19 UTC 
I think it could be the conf-file :

nobody   23191  0.0  0.0  15496   416 ?        S    12:34   0:00 /sbin/dnsmasq --conf-file=/etc/ironic-inspector/dnsmasq.conf
Comment 3 Ryan Hallisey 2015-10-22 23:56:35 UTC 
To confirm the type do `ls -lZd /etc/ironic-inspector`
I'm guessing it's default_t
Comment 4 Joe Talerico 2015-10-23 18:13:56 UTC 
Hey Ryan,
drwxr-xr-x. root ironic-inspector system_u:object_r:etc_t:s0       /etc/ironic-inspector
Comment 7 Chandan Kumar 2016-05-19 15:38:22 UTC 
This bug is against a Version which has reached End of Life.
If it's still present in supported release (http://releases.openstack.org), please update Version and reopen.