Description of problem: baremetal instances fail to boot in the instack overcloud. Allowing net_raw access allows the instances to boot. But is this the right thing to do? Version-Release number of selected component (if applicable): selinux-policy-3.12.1-156.fc20.noarch selinux-policy-targeted-3.12.1-156.fc20.noarch openstack-neutron-2014.1-11.fc21.noarch openstack-neutron-ml2-2014.1-11.fc21.noarch openstack-neutron-openvswitch-2014.1-11.fc21.noarch dnsmasq-utils-2.68-1.fc20.x86_64 How reproducible: always Steps to Reproduce: 1. Install selinux-policy-targeted-3.12.1-156 2. Install the instack-undercloud using source method and the selinux-dhcp-release branch, https://github.com/agroup/instack-undercloud 3. Check /var/log/audit.log for dhcp_release avcs Actual results: dhcp_release avcs Expected results: no dhcp_release avcs Additional info:
Created attachment 889490 [details] audit.log
Created attachment 889491 [details] mypol.pp custom policy that fixes issue
Created attachment 889492 [details] mypol.te
commit 2a239911005f97c2583c701773d9f619cf74fce1 Author: Miroslav Grepl <mgrepl> Date: Fri Apr 25 11:59:59 2014 +0200 Allow net_raw for neutron
selinux-policy-3.12.1-158.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-158.fc20
Package selinux-policy-3.12.1-158.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-158.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-5660/selinux-policy-3.12.1-158.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-158.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.