SELinux support for OpenStack deployment on Rocky Linux 9

jimmymcheung

5/4/24, 5:17 AM

On the official article for installing openstack on RHEL/CentOS, it has mentioned at the end that one should also install openstack-selinux “to automatically manage security policies for OpenStack services”. Does the same package works for Rocky Linux? The relevant opensource repo of openstack-selinux only updates its policy until RHEL 7, and it was unclear if there’s update to the policy to accommodate RHEL/CentOS 9 (and thus Rocky Linux).

Install guide on the web only set out that SELinux and firewall should be disabled, it is possible to install openstack on Rocky while keeping firewall enabled and enforcing SELinux policy?

153

2 + 0

openstack

rocky-linux

Score:1

Server

larsks

5/4/24, 12:11 PM

It looks like the RDO project, which has OpenStack packaged for CentOS-9-stream, uses the same repository to which you've linked. If you look at the available packages, they're using openstack-selinux version 0.8.35, which was tagged last August.

That suggests you could use the same package for Rocky 9.

Regarding the firewall, you can of course leave your firewall enabled, but you need to be sure that you don't block ports required by OpenStack and that you don't have rules that conflict with those installed by OpenStack. A good approach is first to set things up with your custom firewall rules disabled and verify that things are working, and then re-introduce your firewall rules and see if anything breaks.

+ 3

jimmymcheung

5/4/24, 10:10 PM

I’m installing on a fresh system, so the firewall is yet to comfigure, but of course the port for OpenStack service should be left open. I get this question because I was reading various tutorials and most mentioned to set `SELinux` to permissive and to disable firewall, the only few that doesn’t mention this are for CentOS 7.

jimmymcheung

5/4/24, 10:16 PM

From the suffix (`el9s`) it seems this is indeed compatible with Rocky Linux 9, I’ll try that out. I was unable to find this package anywhere on the internet.

jimmymcheung

5/4/24, 10:29 PM

I look more into the repo, and found https://mirror.stream.centos.org/SIGs/9-stream/cloud/x86_64/openstack-antelope/Packages/o/openstack-selinux-0.8.36-1.el9s.noarch.rpm is for the openstack’s latest stable release (2023.1-antelope) which is tagged `0.8.36`

Score:0

Server

asktyagi

5/4/24, 1:55 PM

Some people already played with rocky9 and Openstack please check this link https://forums.rockylinux.org/t/openstack-on-rocky/7016.

For rdo packages you can refer https://repos.fedorapeople.org/repos/openstack/, for rocky9 I believe openstack-yoga and openstack-zed only applicable.

+ 1

jimmymcheung

5/4/24, 10:22 PM

Yes, I went through that post before I asked, but it was mainly about rocky8. And just to correct, for el9 (assuming also rocky9) the openstack-antelope (which is released in March this year) is also supported (and I believe antelope can only be installed in el9)

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: SELinux support for OpenStack deployment on Rocky Linux 9

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.