Description of problem: Keystone is not set up from a packstack run to deliver notifications. Attempting to do so trips over SELinux denying access to the RabbitMQ port. Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: Edit /etc/keystone/Keystone.conf set notification_driver=nova.openstack.common.notifier.rpc_notifier (should not be a nova specific value, but this works) But then Notification causes command to hang in /etc/keystone/Keystone.log AMQP server on localhost:5672 is unreachable: Need an SELinux policy change to let Keystone write to port 5672 2014-06-05 19:53:09.381 25222 ERROR oslo.messaging._drivers.impl_rabbit [-] AMQP server on 192.168.187.26:5672 is unreachable: [Errno 13] EACCES. Trying again in 11 seconds. Set permissive got it through.
Created attachment 902950 [details] audit log type=AVC msg=audit(1402012459.925:68081): avc: denied { name_connect } for pid=25341 comm="keystone-all" dest=5672 scontext=system_u:system_r:keystone_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket
commit b77d9519cdd72090bf8d12a702730388027b9679 Author: Miroslav Grepl <mgrepl> Date: Mon Jun 9 15:49:36 2014 +0200 Allow keystone to connect to additional ports to make OpenStack working Added to Fedora/RHEL7.1.