This commit introduces rootwrap-daemon to Nova: https://github.com/openstack-packages/nova/commit/a23cc14307dcb32c2db8d2ec0f930b3eeb63be3e With this commit in, openstack-nova-api will not start when selinux is enforcing: http://paste.openstack.org/show/475122/ AVC is: type=AVC msg=audit(1443733028.613:8322): avc: denied { create } for pid=18870 comm="nova-rootwrap-d" name="rootwrap.sock" scontext=system_u:system_r:nova_api_t:s0 tcontext=system_u:object_r:nova_api_tmp_t:s0 tclass=sock_file
There are probably more AVCs to add, run permissive and collect them all.
This is the only rule needed it seems: # grep nova-rootwrap-d /var/log/audit/audit.log | audit2allow #============= nova_api_t ============== allow nova_api_t nova_api_tmp_t:sock_file { create unlink getattr setattr write }; Adding that as follows allows nova-api to start and I've confirmed that commands are now executed through the rootwrap daemon # grep nova-rootwrap-d /var/log/audit/audit.log | audit2allow -M nova-rootwrap-d # semodule -i nova-rootwrap-d.pp p.s. I added the 'write' in manually to the above as that was reported as a subsequent denial only after the initial functions were allowed.
This bug is against a Version which has reached End of Life. If it's still present in supported release (http://releases.openstack.org), please update Version and reopen.