Description of problem: When deploying an overcloud with TLS everywhere, compute nodes cannot fetch and store the certificate for VNC because of a SELinux denial: [root@compute-1 ~]# /usr/bin/getcert list -i libvirt-vnc-server-cert Number of certificates and requests being tracked: 4. Request ID 'libvirt-vnc-server-cert': status: NEED_CA_CERT_SAVE_PERMS stuck: yes key pair storage: type=FILE,location='/etc/pki/libvirt-vnc/server-key.pem' certificate: type=FILE,location='/etc/pki/libvirt-vnc/server-cert.pem' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: "systemctl reload libvirtd" track: yes auto-renew: yes [root@compute-1 ~]# ls -l /etc/pki/libvirt-vnc/ total 8 lrwxrwxrwx. 1 root root 16 Apr 3 10:27 ca-cert.pem -> /etc/ipa/vnc.crt -rw-r--r--. 1 root root 1793 Apr 3 10:27 server-cert.pem -rw-r-----. 1 root qemu 1704 Apr 3 10:27 server-key.pem [root@compute-1 ~]# grep -i denied /var/log/audit/audit.log type=AVC msg=audit(1522743223.463:133): avc: denied { create } for pid=15813 comm="certmonger" name="vnc.crt" scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file Apparently vnc.crt should land in /etc/ipa, but is being denied creation: [root@compute-1 ~]# ls -lZ /etc/ipa -rw-r--r--. root root system_u:object_r:etc_t:s0 ca.crt -rw-r--r--. root root system_u:object_r:etc_t:s0 default.conf drwxr-xr-x. root root system_u:object_r:cert_t:s0 nssdb Version-Release number of selected component (if applicable): openstack-selinux-0.8.14-0.20180327131230.5afbeac.el7ost.noarch How reproducible: Always Steps to Reproduce: 1. deploy an overcloud with TLS-everywhere enabled Actual results: Deployment fails at step1 Expected results: Deployment should succeed Additional info:
Quick note: when setting SELinux to permissive, the deployment succeeds and the only denials in the audit file are: type=AVC msg=audit(1522764949.207:133): avc: denied { create } for pid=19181 comm="certmonger" name="vnc.crt" scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=AVC msg=audit(1522764949.207:133): avc: denied { write } for pid=19181 comm="certmonger" path="/etc/ipa/vnc.crt" dev="vda2" ino=9523099 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:2086