Bug 1388644

https://github.com/SELinuxProject/selinux/commit/c6acfae4bc22586ad1dc259b0aad57fa6c5b43ef

... breaks OpenStack tripleo-image-elements selinux policy module handling.

This commit is present in RHEL 7.3 (beta and later), and is 

This affects OSP 7-10.

(In reply to Lon Hohberger from comment #1)
> https://github.com/SELinuxProject/selinux/commit/
> c6acfae4bc22586ad1dc259b0aad57fa6c5b43ef
> 
> ... breaks OpenStack tripleo-image-elements selinux policy module handling.
> 
> This commit is present in RHEL 7.3 (beta and later), and is 
> 
> This affects OSP 7-10.

It's still something we can fix, but I do not think these affected elements are actually used any longer for the undercloud or overcloud in OSP 10.

Was the issue reproduced on OSP 10?

No.  If they're no longer used, go ahead and close this.

That is, it wasn't reproduced to my knowledge.

we don't use these elements on newton/10, but the patch has still merged to master so we can backport to mitaka/9 and liberty/8.

moving this to ON_QA and TestOnly as we only need to confirm that this does not reproduce for OSP 10

all we need to have done is install an undercloud on RHEL 7.3 successfully, and verify selinux is enforcing to call this VERIFIED.

Verified:


[stack@instack ~]$ sudo sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28


[stack@instack ~]$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.3 (Maipo)


[stack@instack ~]$ . stackrc


[stack@instack ~]$ nova service-list
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:303: SubjectAltNameWarning: Certificate for 192.0.2.2 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
  SubjectAltNameWarning
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:303: SubjectAltNameWarning: Certificate for 192.0.2.2 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
  SubjectAltNameWarning
+----+----------------+---------------------+----------+---------+-------+----------------------------+-----------------+
| Id | Binary         | Host                | Zone     | Status  | State | Updated_at                 | Disabled Reason |
+----+----------------+---------------------+----------+---------+-------+----------------------------+-----------------+
| 1  | nova-cert      | instack.localdomain | internal | enabled | up    | 2016-11-02T03:18:20.000000 | -               |
| 4  | nova-scheduler | instack.localdomain | internal | enabled | up    | 2016-11-02T03:18:19.000000 | -               |
| 5  | nova-conductor | instack.localdomain | internal | enabled | up    | 2016-11-02T03:18:17.000000 | -               |
| 7  | nova-compute   | instack.localdomain | nova     | enabled | up    | 2016-11-02T03:18:16.000000 | -               |
+----+----------------+---------------------+----------+---------+-------+----------------------------+-----------------+

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2948.html