A new keyring config file needs to be installed as a part of the openstack-keystone package to avoid a hang issue that we are encountering on RHEL 7.4 (see bug#1478173). This new file needs to be labeled properly to allow it to be read by keystone's httpd process when running in SELinux enforcing mode.
Here is the AVC that will be encountered without this policy change:
type=AVC msg=audit(1501609484.063:13177): avc: denied { open } for pid=10111 comm="httpd" path="/var/lib/keystone/.local/share/python_keyring/keyringrc.cfg" dev="dm-0" ino=396418 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:keystone_var_lib_t:s0 tclass=file
type=AVC msg=audit(1501609484.063:13177): avc: denied { read } for pid=10111 comm="httpd" name="keyringrc.cfg" dev="dm-0" ino=396418 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:keystone_var_lib_t:s0 tclass=file
A temporary workaround for this is to use chcon to grant access to the file:
# chcon system_u:system_r:httpd_t:s0 /var/lib/keystone/.local/share/python_keyring/keyringrc.cfg
We need an fcontext rule added so this label persists after a relabel. We will need this change applied before we can ship the openstack-keystone update, and we would like to add a versioned package dependency to have openstack-keystone require this new version of openstack-selinux.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2017:2701