https://github.com/SELinuxProject/selinux/commit/c6acfae4bc22586ad1dc259b0aad57fa6c5b43ef ... breaks OpenStack tripleo-image-elements selinux policy module handling. This commit is present in RHEL 7.3 (beta and later), and is This affects OSP 7-10.
(In reply to Lon Hohberger from comment #1) > https://github.com/SELinuxProject/selinux/commit/ > c6acfae4bc22586ad1dc259b0aad57fa6c5b43ef > > ... breaks OpenStack tripleo-image-elements selinux policy module handling. > > This commit is present in RHEL 7.3 (beta and later), and is > > This affects OSP 7-10. It's still something we can fix, but I do not think these affected elements are actually used any longer for the undercloud or overcloud in OSP 10. Was the issue reproduced on OSP 10?
No. If they're no longer used, go ahead and close this.
That is, it wasn't reproduced to my knowledge.
we don't use these elements on newton/10, but the patch has still merged to master so we can backport to mitaka/9 and liberty/8. moving this to ON_QA and TestOnly as we only need to confirm that this does not reproduce for OSP 10
all we need to have done is install an undercloud on RHEL 7.3 successfully, and verify selinux is enforcing to call this VERIFIED.
Verified: [stack@instack ~]$ sudo sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 [stack@instack ~]$ cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.3 (Maipo) [stack@instack ~]$ . stackrc [stack@instack ~]$ nova service-list /usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:303: SubjectAltNameWarning: Certificate for 192.0.2.2 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) SubjectAltNameWarning /usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:303: SubjectAltNameWarning: Certificate for 192.0.2.2 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) SubjectAltNameWarning +----+----------------+---------------------+----------+---------+-------+----------------------------+-----------------+ | Id | Binary | Host | Zone | Status | State | Updated_at | Disabled Reason | +----+----------------+---------------------+----------+---------+-------+----------------------------+-----------------+ | 1 | nova-cert | instack.localdomain | internal | enabled | up | 2016-11-02T03:18:20.000000 | - | | 4 | nova-scheduler | instack.localdomain | internal | enabled | up | 2016-11-02T03:18:19.000000 | - | | 5 | nova-conductor | instack.localdomain | internal | enabled | up | 2016-11-02T03:18:17.000000 | - | | 7 | nova-compute | instack.localdomain | nova | enabled | up | 2016-11-02T03:18:16.000000 | - | +----+----------------+---------------------+----------+---------+-------+----------------------------+-----------------+
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-2948.html