Description of problem: With openstack-selinux-0.7.12-1.el7.noarch installed, httpd cannot listen to port 5000 to run keystone so it fails to start. downgrading to openstack-selinux-0.7.4-2.el7.noarch allows httpd to start. Version-Release number of selected component (if applicable): openstack-selinux-0.7.4-2.el7.noarch How reproducible: Always Steps to Reproduce: 1. install httpd, openstack-selinux-0.7.12-1 2. configure httpd to listen on port 5000 3. attempt to start httpd Actual results: httpd fails to start Expected results: httpd should be able to listen on port 5000 Additional info:
type=AVC msg=audit(1481210263.956:2156): avc: denied { name_bind } for pid=19937 comm="httpd" src=5000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_main_port_t:s0 tclass=tcp_socket
openstack-selinux-0.7.12-1 seems to depend on RHEL 7.3 bits. I have found a similar issue with Packstack on CentOS 7.2, and it was fixed by updating selinux-policy to version 3.13.1-102 (using the CentOS CR repository).
Please push upstream to https://github.com/redhat-openstack/openstack-selinux/commits/el7-rpm (which is now very out of sync) or let know and I'll do the specfile sync.
https://github.com/redhat-openstack/openstack-selinux/commit/c8c013c0aa74aa161672ed1688817a1f45deaf2f Just added 0.7.13-2
https://rhos-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/view/RHOS/view/RHOS10/job/qe-phase2-10_director-rhel-7.3-virthost-3cont_2comp-ipv4-vxlan-lvm-external-loadbalancer/63/
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0233.html