Previously, httpd was not allowed to search through directories having the "nova_t" label. Consequently, nova-novncproxy failed to deploy an HA overcloud. This update allows httpd to search through such directories, which enables nova-novncproxy to run successfully.
Another nova_t rule. This rule is likely the culprit. To fix this AVC is very tricky because nova_t type doesn't exist on rhel 7, but in rhel 7.1 and 7.2 . I can't find a transition so optional policy should work.
type=AVC msg=audit(1447350863.972:257): avc: denied { search } for pid=5894 comm="nova-novncproxy" name="httpd" dev="sda2" ino=8398827 scontext=system_u:system_r:nova_t:s0
Comment 8Alexander Chuzhoy
2016-01-07 17:24:02 UTC
Verified.
Environment:
openstack-selinux-0.6.48-1.el7ost.noarch
Successfully deployed HA overcloud without network isolation.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://rhn.redhat.com/errata/RHEA-2016-0603.html
rhel-osp-director: 8.0 - fail to deploy HA overcloud. Several puppet errors in the log, also several selinux AVC messages. Environment: instack-undercloud-2.1.3-1.el7ost.noarch Steps to reproduce: Attempt to deploy a basic HA overcloud with no network isolation. Result: The deployment fails. resources.ControllerOvercloudServicesDeployment_Step4: resources.ControllerNodesPostDeployment.Error: resources[2]: Deployment to server failed: deploy_status_code: Deployment exited with non-zero status code: 6 Checking a controller I see several errors in the messages file and some avc reports in audit.log type=AVC msg=audit(1447350156.569:90): avc: denied { read } for pid=578 comm="NetworkManager" name="dhclient-br-ex.pid" dev="tmpfs" ino=32089 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file type=AVC msg=audit(1447350156.596:91): avc: denied { read } for pid=10363 comm="dhclient" name="dhclient-br-ex.pid" dev="tmpfs" ino=32089 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file type=AVC msg=audit(1447350156.596:92): avc: denied { write } for pid=10363 comm="dhclient" name="dhclient-br-ex.pid" dev="tmpfs" ino=32089 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file type=AVC msg=audit(1447350156.622:93): avc: denied { write } for pid=10363 comm="dhclient" name="dhclient-br-ex.pid" dev="tmpfs" ino=32089 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file type=AVC msg=audit(1447350156.670:94): avc: denied { write } for pid=10363 comm="dhclient" name="dhclient-br-ex.pid" dev="tmpfs" ino=32089 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file type=AVC msg=audit(1447350507.817:103): avc: denied { execute } for pid=27439 comm="redis-sentinel" name="redis-notifications.sh" dev="sda2" ino=8412437 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1447350733.646:137): avc: denied { execute } for pid=3455 comm="redis-sentinel" name="redis-notifications.sh" dev="sda2" ino=8412437 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1447350784.906:220): avc: denied { search } for pid=4785 comm="neutron-server" name="httpd" dev="sda2" ino=8398827 scontext=system_u:system_r:neutron_t:s0 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=dir type=AVC msg=audit(1447350784.906:221): avc: denied { search } for pid=4785 comm="neutron-server" name="httpd" dev="sda2" ino=8398827 scontext=system_u:system_r:neutron_t:s0 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=dir type=AVC msg=audit(1447350863.972:256): avc: denied { search } for pid=5894 comm="nova-novncproxy" name="httpd" dev="sda2" ino=8398827 scontext=system_u:system_r:nova_t:s0 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=dir type=AVC msg=audit(1447350863.972:257): avc: denied { search } for pid=5894 comm="nova-novncproxy" name="httpd" dev="sda2" ino=8398827 scontext=system_u:system_r:nova_t:s0 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=dir type=AVC msg=audit(1447351493.184:434): avc: denied { execute } for pid=11044 comm="redis-sentinel" name="redis-notifications.sh" dev="sda2" ino=8412437 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file Note: Was able to complete nonHA deployment successfully. Expected result: Successful HA overcloud deployment.