Description of problem:
When deploying an overcloud with TLS everywhere, compute nodes cannot fetch and store the certificate for VNC because of a SELinux denial:

[root@compute-1 ~]# /usr/bin/getcert list -i libvirt-vnc-server-cert
Number of certificates and requests being tracked: 4.
Request ID 'libvirt-vnc-server-cert':
        status: NEED_CA_CERT_SAVE_PERMS
        stuck: yes
        key pair storage: type=FILE,location='/etc/pki/libvirt-vnc/server-key.pem'
        certificate: type=FILE,location='/etc/pki/libvirt-vnc/server-cert.pem'
        CA: IPA
        issuer:
        subject:
        expires: unknown
        pre-save command:
        post-save command: "systemctl reload libvirtd"
        track: yes
        auto-renew: yes
     
[root@compute-1 ~]# ls -l /etc/pki/libvirt-vnc/
total 8
lrwxrwxrwx. 1 root root   16 Apr  3 10:27 ca-cert.pem -> /etc/ipa/vnc.crt
-rw-r--r--. 1 root root 1793 Apr  3 10:27 server-cert.pem
-rw-r-----. 1 root qemu 1704 Apr  3 10:27 server-key.pem



[root@compute-1 ~]# grep -i denied /var/log/audit/audit.log
type=AVC msg=audit(1522743223.463:133): avc:  denied  { create } for  pid=15813 comm="certmonger" name="vnc.crt" scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file

Apparently vnc.crt should land in /etc/ipa, but is being denied creation:

[root@compute-1 ~]# ls -lZ /etc/ipa
-rw-r--r--. root root system_u:object_r:etc_t:s0       ca.crt
-rw-r--r--. root root system_u:object_r:etc_t:s0       default.conf
drwxr-xr-x. root root system_u:object_r:cert_t:s0      nssdb


Version-Release number of selected component (if applicable):
openstack-selinux-0.8.14-0.20180327131230.5afbeac.el7ost.noarch

How reproducible:
Always

Steps to Reproduce:
1. deploy an overcloud with TLS-everywhere enabled

Actual results:
Deployment fails at step1

Expected results:
Deployment should succeed

Additional info: