Description of problem: selinux is running in permissive mode in over cloud [stack@puma33 ~]$ nova list +--------------------------------------+------------------------+--------+------------+-------------+---------------------+ | ID | Name | Status | Task State | Power State | Networks | +--------------------------------------+------------------------+--------+------------+-------------+---------------------+ | c938355a-bace-47b8-ab65-45d930ca7501 | overcloud-compute-0 | ACTIVE | - | Running | ctlplane=192.0.2.15 | | 9767ba09-739b-41a2-95a0-9248d0d77ced | overcloud-controller-0 | ACTIVE | - | Running | ctlplane=192.0.2.17 | | fd51d043-6c6c-4c1f-a089-037025ec7cfa | overcloud-controller-1 | ACTIVE | - | Running | ctlplane=192.0.2.16 | | db7a5c5a-9990-4f9a-a472-919a3a284e31 | overcloud-controller-2 | ACTIVE | - | Running | ctlplane=192.0.2.18 | +--------------------------------------+------------------------+--------+------------+-------------+---------------------+ [stack@puma33 ~]$ ssh heat-admin.2.15 Last login: Thu Jun 18 02:26:29 2015 from 192.0.2.1 [heat-admin@overcloud-compute-0 ~]$ sudo sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 [heat-admin@overcloud-compute-0 ~]$ exit logout Connection to 192.0.2.15 closed. [stack@puma33 ~]$ ssh heat-admin.2.16 Last login: Thu Jun 18 02:58:37 2015 from 192.0.2.1 [heat-admin@overcloud-controller-1 ~]$ sudo sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 [heat-admin@overcloud-controller-1 ~]$ Version-Release number of selected component (if applicable): instack-undercloud-2.1.2-1.el7ost.noarch How reproducible: Steps to Reproduce: 1. login to overcloud hosts (controllers and computes) 2. check selinux status 3. Actual results: Expected results: Additional info:
changing summary -- it's not dependent on HA vs non-HA
fix in both instack-build-images and unified cli
i've manually tested with the images from http://rhos-release.virt.bos.redhat.com/mburns/2015-06-24.1/images/ I edited overcloud-full.qcow2 and set selinux=enforcing and was able to deploy an Overcloud. python-rdomanager-oscplugin patch: https://review.gerrithub.io/237539 instack-undercloud patch: https://review.gerrithub.io/237540
Verified : python-rdomanager-oscplugin-0.0.8-18.el7ost.noarch, instack-undercloud-2.1.2-11.el7ost.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2015:1549