A new keyring config file needs to be installed as a part of the openstack-keystone package to avoid a hang issue that we are encountering on RHEL 7.4 (see bug#1475969). This new file needs to be labeled properly to allow it to be read by keystone's httpd process when running in SELinux enforcing mode. Here is the AVC that will be encountered without this policy change: type=AVC msg=audit(1501609484.063:13177): avc: denied { open } for pid=10111 comm="httpd" path="/var/lib/keystone/.local/share/python_keyring/keyringrc.cfg" dev="dm-0" ino=396418 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:keystone_var_lib_t:s0 tclass=file type=AVC msg=audit(1501609484.063:13177): avc: denied { read } for pid=10111 comm="httpd" name="keyringrc.cfg" dev="dm-0" ino=396418 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:keystone_var_lib_t:s0 tclass=file A temporary workaround for this is to use chcon to grant access to the file: # chcon system_u:system_r:httpd_t:s0 /var/lib/keystone/.local/share/python_keyring/keyringrc.cfg We need an fcontext rule added so this label persists after a relabel. We will need this change applied before we can ship the openstack-keystone update, and we would like to add a versioned package dependency to have openstack-keystone require this new version of openstack-selinux.
Apache isn't used for WSGI services on OSP6, is it?
Also, fcontext may not work here - whatever's deploying will no longer have access to write/create the file. I think httpd just needs a boolean until WSGI settles that give it access to the keystone type.
https://github.com/redhat-openstack/openstack-selinux/commit/ad96ed3d459797cc417cdbfaf1a869d4d285f50e
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2668