Created attachment 964149 [details]
fix for os-neutron.te

Description of problem:
When creating VRRP HA router with SELINUX=enforcing, keepalived on Network nodes failed to start because of SELinux context mismatch.

Version-Release number of selected component (if applicable):
CentOS7 + RDO Juno
openstack-selinux-0.5.19-2.el7ost.noarch

How reproducible:
Always

Steps to Reproduce:
1. Configure OpenStack environment with 1 controller node, 2 network nodes, 1 compute node. All nodes are set SELINUX=enforcing.
2. Enable l3_ha in /etc/neutron/neutron.conf
  # openstack-config --set /etc/neutron/neutron.conf DEFAULT l3_ha True
3. Create HA router.
  # neutron router-create router01

Actual results:
Journalctl shows messages like this:
2014-11-29 15:28:11.800 2269 ERROR neutron.agent.l3_agent [-]
Command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter- 002a56ba-beda-43ad-a5d6-adff4dc1a725', 'keepalived', '-P', '-f', '/var/lib/neutron/ha_confs/002a56ba- beda-43ad-a5d6-adff4dc1a725/keepalived.conf', '-p', '/var/lib/neutron/ha_confs/002a56ba-beda-43ad- a5d6-adff4dc1a725.pid', '-r', '/var/lib/neutron/ha_confs/002a56ba-beda-43ad-a5d6-adff4dc1a725.pid- vrrp']
Exit code: 99
Stdout: ''
Stderr: '/usr/bin/neutron-rootwrap: Unauthorized command: ip netns exec qrouter-002a56ba-beda-43ad- a5d6-adff4dc1a725 keepalived -P -f /var/lib/neutron/ha_confs/002a56ba-beda-43ad-a5d6- adff4dc1a725/keepalived.conf -p /var/lib/neutron/ha_confs/002a56ba-beda-43ad-a5d6-adff4dc1a725.pid
-r /var/lib/neutron/ha_confs/002a56ba-beda-43ad-a5d6adff4dc1a725.pid-vrrp (no filter matched)\n'

Expected results:
Start keepalived successfully

Additional info:
Please find attach patch for os-neutron.te.