Merge tripleo selinux element into openstack-selinux module ironic-ipxe 1.0; require { type httpd_t; type tftpdir_t; class file { read getattr open }; } #============= httpd_t ============== allow httpd_t tftpdir_t:file { read getattr open };
Additional policy needed for openstack-selinux so that we can remove tripleo selinux. All set to build just need acks.
whoops. Ignore the blocker flag reset.
Verified openstack-selinux-0.6.37-1.el7ost.noarch : According to comment #6 Added selinux to "exclude-element : "exclude-element": [ "pip-and-virtualenv", "ironic", "os-collect-config", "selinux", "openstack-clients" ], (1) successful deployment of undercloud: ############################################################################# instack-install-undercloud complete. (2) successful deployment of overcloud : DEBUG: os_cloud_config.utils.clients Creating nova client. Overcloud Endpoint: http://10.19.184.50:5000/v2.0/ Overcloud Deployed DEBUG: openstackclient.shell clean_up DeployOvercloud
"exclude-element": [ "pip-and-virtualenv", "ironic", "os-collect-config", "selinux", "ipxe", "openstack-clients" ], This is actually still applying the ipxe rule. You need to exclude the two elements linked below. I think the above will do it. https://github.com/rdo-management/instack-undercloud/tree/master/elements/ipxe/selinux https://github.com/rdo-management/instack-undercloud/blob/master/elements/ipxe/os-refresh-config/configure.d/00-apply-selinux-policy
Following the instructions on Comment #8 , probably caused to following side effect : 1) this file was missing /tftpboot/undionly.kpxe 2) the http wasn't running on port 8088 we need to find another way to verify..
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2015:1548