Bug 1641743

Summary: On RHEL 7.6 Undercloud installation fails on nova-api: sudo in nova-rootwrap blocked by SELinux
Product: Red Hat OpenStack Reporter: Zoli Caplovic <zcaplovi>
Component: openstack-selinuxAssignee: Zoli Caplovic <zcaplovi>
Status: CLOSED ERRATA QA Contact: Julie Pichon <jpichon>
Severity: high Docs Contact:
Priority: urgent    
Version: 10.0 (Newton)CC: jpichon, jschluet, lhh, mgrepl, psedlak, zcaplovi
Target Milestone: z3Keywords: Rebase, TestOnly, Triaged, ZStream
Target Release: 10.0 (Newton)   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: openstack-selinux-0.8.15-1.el7ost Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
Story Points: ---
Clone Of: 1641671
: 1641746 (view as bug list) Environment:
Last Closed: 2019-04-30 16:59:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1638547, 1638548, 1640528, 1641671    
Bug Blocks: 1641746    

Comment 2 Lon Hohberger 2018-11-01 10:43:17 UTC 
According to our records, this should be resolved by openstack-selinux-0.8.15-1.el7ost.  This build is available now.
Comment 3 Julie Pichon 2019-04-23 15:49:02 UTC 
Sanity-check:

$ rpm -q openstack-selinux
openstack-selinux-0.8.18-1.el7ost.noarch

$ ls /usr/share/openstack-selinux/0.8.18/tests/ | grep 1640528 (bug referenced in the commit from the description)
bz1640528

$ grep execute /usr/share/openstack-selinux/0.8.18/tests/bz1640528 (similar AVC to description)
type=AVC msg=audit(...): avc:  denied  { execute } for  pid=... comm="sudo" name="unix_chkpwd" dev="vda1" ino=... scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=1

$ sudo /usr/share/openstack-selinux/0.8.18/tests/check_all 
Results: 797 total, 0 failed
Overall result: PASS
Comment 5 errata-xmlrpc 2019-04-30 16:59:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0922