Description of problem: When the instack undercloud cloud is built using virt-builder, baremetal instances do not boot up properly because of iscsi avc denials When the instack undercloud cloud is built using a Fedora 20 live cd, iscsi avc denials do not occur. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.12.1-153.fc20.noarch selinux-policy-3.12.1-153.fc20.noarch How reproducible: always Steps to Reproduce: Build and deploy instack undercloud using this guide https://github.com/agroup/instack-undercloud/blob/master/README-virt.md Choose package install. Actual results: baremetal instances do not boot up. avc denials attached. Expected results: baremetal instances should boot with no avc denials. Additional info: Attached audit.log and custom policies to work around the issue.
Created attachment 886356 [details] audit.log from undercloud instance
Created attachment 886357 [details] custom policy to allow baremetal instances to boot
commit 614675e48460790b2c20a6566062ab1926678a9a Author: Miroslav Grepl <mgrepl> Date: Tue Apr 15 09:03:01 2014 +0200 Allow iscsid to handle own unit files commit ab64b4c70bbac155d47323d6a4469be3590468b1 Author: Miroslav Grepl <mgrepl> Date: Tue Apr 15 09:01:41 2014 +0200 Add iscsi_systemctl()
selinux-policy-3.12.1-158.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-158.fc20
Package selinux-policy-3.12.1-158.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-158.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-5660/selinux-policy-3.12.1-158.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-158.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.