Hide Forgot
Created attachment 1231036 [details] audit log Description of problem: Current RDO Newton is generating AVC denials that are failing RDO atop RHEL internal CI pipelines. The RDO jobs are passing because selinux is set to permissive. audit.log and such is attached from most recent RDO Newton. Version-Release number of selected component (if applicable): --- openstack-selinux-0.7.12-1.el7 Most recent green/promoted RDO job: https://ci.centos.org/job/rdo-delorean-promote-newton/255/ Minimal job (sub-job) https://ci.centos.org/job/tripleo-quickstart-promote-newton-delorean-minimal/203/ Logs (and attached): https://ci.centos.org/artifacts/rdo/jenkins-tripleo-quickstart-promote-newton-delorean-minimal-203/undercloud/var/log/audit/ --- How reproducible: All current newton tripleo-quickstart jobs are exhibiting these. This is also causing RDO on RHEL internal tests (and likely the next OSP 10 import) to fail during undercloud install. This is detailed here: https://review.rdoproject.org/etherpad/p/rdo-internal-issues #72 --- We have tracked this down to having first appeared between Last hash that worked (without these issues): newton/d8f62f5b006997b210ea0374b8b71fbd63380c6c_bd923c7a First hash that failed: newton/f53d6241987bbf6c261069e0a62ebabcc0a83c67_0372e742
Created attachment 1231055 [details] audit2why log
Selinux denials are not present when using CentOS 7.3 with latest openstack-selinux-0.7.13-2. I think this could be closed as notabug.