A new keyring config file needs to be installed as a part of the openstack-keystone package to avoid a hang issue that we are encountering on RHEL 7.4 (see bug#1475969). This new file needs to be labeled properly to allow it to be read by keystone's httpd process when running in SELinux enforcing mode.
Here is the AVC that will be encountered without this policy change:
type=AVC msg=audit(1501609484.063:13177): avc: denied { open } for pid=10111 comm="httpd" path="/var/lib/keystone/.local/share/python_keyring/keyringrc.cfg" dev="dm-0" ino=396418 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:keystone_var_lib_t:s0 tclass=file
type=AVC msg=audit(1501609484.063:13177): avc: denied { read } for pid=10111 comm="httpd" name="keyringrc.cfg" dev="dm-0" ino=396418 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:keystone_var_lib_t:s0 tclass=file
A temporary workaround for this is to use chcon to grant access to the file:
# chcon system_u:system_r:httpd_t:s0 /var/lib/keystone/.local/share/python_keyring/keyringrc.cfg
We need an fcontext rule added so this label persists after a relabel. We will need this change applied before we can ship the openstack-keystone update, and we would like to add a versioned package dependency to have openstack-keystone require this new version of openstack-selinux.
Also, fcontext may not work here - whatever's deploying will no longer have access to write/create the file.
I think httpd just needs a boolean until WSGI settles that give it access to the keystone type.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2017:2668