Description of problem: Currently, SELinux is set to permissive in guest instances. It should be possible to set it to Enforcing (with some rules).
Context: api-config.ini is used for the first time in Sahara post-Liberty, see https://review.openstack.org/#/c/231989/ https://bugs.launchpad.net/sahara/+bug/1503983
Can you report any AVCs you get from running in permissive mode? We can see about those landing in openstack-selinux.